To get this branch, use:
bzr branch
http://bzr.recompile.se/loggerhead/mandos/release
« back to all changes in this revision
Viewing changes to mandos
- browse files at revision 237.7.753
- compare with another revision
- download diff
- download tarball
- view history from revision 237.7.753
- Committer: teddy at recompile
- Date: 2020-02-09 03:38:33 UTC
- mto: This revision was merged to the branch mainline in revision 396.
- Revision ID: teddy@recompile.se-20200209033833-2la1pujrnv2m0so4
Use reallocarray() if available, or check for overflow
* dracut-module/password-agent.c (add_to_queue): Check for overflow.
(test_add_to_queue_overflow): New test.
* plugin-runner.c (add_to_char_array, main): Use reallocarray().
* plugins.d/plymouth.c (exec_and_wait): - '' -
* dracut-module/password-agent.c (add_to_queue): Check for overflow.
(test_add_to_queue_overflow): New test.
* plugin-runner.c (add_to_char_array, main): Use reallocarray().
* plugins.d/plymouth.c (exec_and_wait): - '' -
- files added:
- bugs.xml
- debian/tests
- dracut-module
- files removed:
- initramfs-tools-hook-conf
- files modified:
- .bzrignore
added
removed
mandos
1
#!/usr/bin/python2.7
2
# -*- mode: python; coding: utf-8 -*-
3
#
1
#!/usr/bin/python3 -bI
2
# -*- mode: python; after-save-hook: (lambda () (let ((command (if (fboundp 'file-local-name) (file-local-name (buffer-file-name)) (or (file-remote-p (buffer-file-name) 'localname) (buffer-file-name))))) (if (= (progn (if (get-buffer "*Test*") (kill-buffer "*Test*")) (process-file-shell-command (format "%s --check" (shell-quote-argument command)) nil "*Test*")) 0) (let ((w (get-buffer-window "*Test*"))) (if w (delete-window w))) (progn (with-current-buffer "*Test*" (compilation-mode)) (display-buffer "*Test*" '(display-buffer-in-side-window)))))); coding: utf-8 -*-
3
#
4
4
# Mandos server - give out binary blobs to connecting clients.
5
#
5
#
6
6
# This program is partly derived from an example program for an Avahi
7
7
# service publisher, downloaded from
8
8
# <http://avahi.org/wiki/PythonPublishExample>. This includes the
9
9
# methods "add", "remove", "server_state_changed",
10
10
# "entry_group_state_changed", "cleanup", and "activate" in the
11
11
# "AvahiService" class, and some lines in "main".
12
#
12
#
13
13
# Everything else is
14
# Copyright © 2008-2015 Teddy Hogeborn
15
# Copyright © 2008-2015 Björn Påhlsson
16
#
17
# This program is free software: you can redistribute it and/or modify
18
# it under the terms of the GNU General Public License as published by
14
# Copyright © 2008-2019 Teddy Hogeborn
15
# Copyright © 2008-2019 Björn Påhlsson
16
#
17
# This file is part of Mandos.
18
#
19
# Mandos is free software: you can redistribute it and/or modify it
20
# under the terms of the GNU General Public License as published by
19
21
# the Free Software Foundation, either version 3 of the License, or
20
22
# (at your option) any later version.
21
23
#
22
# This program is distributed in the hope that it will be useful,
23
# but WITHOUT ANY WARRANTY; without even the implied warranty of
24
# Mandos is distributed in the hope that it will be useful, but
25
# WITHOUT ANY WARRANTY; without even the implied warranty of
24
26
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
25
27
# GNU General Public License for more details.
26
#
28
#
27
29
# You should have received a copy of the GNU General Public License
28
# along with this program. If not, see
29
# <http://www.gnu.org/licenses/>.
30
#
30
# along with Mandos. If not, see <http://www.gnu.org/licenses/>.
31
#
31
32
# Contact the authors at <mandos@recompile.se>.
32
#
33
#
33
34
34
35
from __future__ import (division, absolute_import, print_function,
35
36
unicode_literals)
36
37
37
from future_builtins import *
38
try:
39
from future_builtins import *
40
except ImportError:
41
pass
38
42
39
43
try:
40
44
import SocketServer as socketserver
44
48
import argparse
45
49
import datetime
46
50
import errno
47
import gnutls.crypto
48
import gnutls.connection
49
import gnutls.errors
50
import gnutls.library.functions
51
import gnutls.library.constants
52
import gnutls.library.types
53
51
try:
54
52
import ConfigParser as configparser
55
53
except ImportError:
79
77
import itertools
80
78
import collections
81
79
import codecs
80
import unittest
81
import random
82
import shlex
82
83
83
84
import dbus
84
85
import dbus.service
85
try:
86
import gobject
87
except ImportError:
88
from gi.repository import GObject as gobject
89
import avahi
86
import gi
87
from gi.repository import GLib
90
88
from dbus.mainloop.glib import DBusGMainLoop
91
89
import ctypes
92
90
import ctypes.util
93
91
import xml.dom.minidom
94
92
import inspect
95
93
96
try:
94
if sys.version_info.major == 2:
95
__metaclass__ = type
96
str = unicode
97
98
# Add collections.abc.Callable if it does not exist
99
try:
100
collections.abc.Callable
101
except AttributeError:
102
class abc:
103
Callable = collections.Callable
104
collections.abc = abc
105
del abc
106
107
# Add shlex.quote if it does not exist
108
try:
109
shlex.quote
110
except AttributeError:
111
shlex.quote = re.escape
112
113
# Show warnings by default
114
if not sys.warnoptions:
115
import warnings
116
warnings.simplefilter("default")
117
118
# Try to find the value of SO_BINDTODEVICE:
119
try:
120
# This is where SO_BINDTODEVICE is in Python 3.3 (or 3.4?) and
121
# newer, and it is also the most natural place for it:
97
122
SO_BINDTODEVICE = socket.SO_BINDTODEVICE
98
123
except AttributeError:
99
124
try:
125
# This is where SO_BINDTODEVICE was up to and including Python
126
# 2.6, and also 3.2:
100
127
from IN import SO_BINDTODEVICE
101
128
except ImportError:
102
SO_BINDTODEVICE = None
103
104
if sys.version_info.major == 2:
105
str = unicode
106
107
version = "1.7.1"
129
# In Python 2.7 it seems to have been removed entirely.
130
# Try running the C preprocessor:
131
try:
132
cc = subprocess.Popen(["cc", "--language=c", "-E",
133
"/dev/stdin"],
134
stdin=subprocess.PIPE,
135
stdout=subprocess.PIPE)
136
stdout = cc.communicate(
137
"#include <sys/socket.h>\nSO_BINDTODEVICE\n")[0]
138
SO_BINDTODEVICE = int(stdout.splitlines()[-1])
139
except (OSError, ValueError, IndexError):
140
# No value found
141
SO_BINDTODEVICE = None
142
143
if sys.version_info < (3, 2):
144
configparser.Configparser = configparser.SafeConfigParser
145
146
version = "1.8.9"
108
147
stored_state_file = "clients.pickle"
109
148
110
149
logger = logging.getLogger()
150
logging.captureWarnings(True) # Show warnings via the logging system
111
151
syslogger = None
112
152
113
153
try:
114
154
if_nametoindex = ctypes.cdll.LoadLibrary(
115
155
ctypes.util.find_library("c")).if_nametoindex
116
156
except (OSError, AttributeError):
117
157
118
158
def if_nametoindex(interface):
119
159
"Get an interface index the hard way, i.e. using fcntl()"
120
160
SIOCGIFINDEX = 0x8933 # From /usr/include/linux/sockios.h
125
165
return interface_index
126
166
127
167
168
def copy_function(func):
169
"""Make a copy of a function"""
170
if sys.version_info.major == 2:
171
return types.FunctionType(func.func_code,
172
func.func_globals,
173
func.func_name,
174
func.func_defaults,
175
func.func_closure)
176
else:
177
return types.FunctionType(func.__code__,
178
func.__globals__,
179
func.__name__,
180
func.__defaults__,
181
func.__closure__)
182
183
128
184
def initlogger(debug, level=logging.WARNING):
129
185
"""init logger and add loglevel"""
130
186
131
187
global syslogger
132
188
syslogger = (logging.handlers.SysLogHandler(
133
facility = logging.handlers.SysLogHandler.LOG_DAEMON,
134
address = "/dev/log"))
189
facility=logging.handlers.SysLogHandler.LOG_DAEMON,
190
address="/dev/log"))
135
191
syslogger.setFormatter(logging.Formatter
136
192
('Mandos [%(process)d]: %(levelname)s:'
137
193
' %(message)s'))
138
194
logger.addHandler(syslogger)
139
195
140
196
if debug:
141
197
console = logging.StreamHandler()
142
198
console.setFormatter(logging.Formatter('%(asctime)s %(name)s'
152
208
pass
153
209
154
210
155
class PGPEngine(object):
211
class PGPEngine:
156
212
"""A simple class for OpenPGP symmetric encryption & decryption"""
157
213
158
214
def __init__(self):
159
215
self.tempdir = tempfile.mkdtemp(prefix="mandos-")
216
self.gpg = "gpg"
217
try:
218
output = subprocess.check_output(["gpgconf"])
219
for line in output.splitlines():
220
name, text, path = line.split(b":")
221
if name == b"gpg":
222
self.gpg = path
223
break
224
except OSError as e:
225
if e.errno != errno.ENOENT:
226
raise
160
227
self.gnupgargs = ['--batch',
161
'--home', self.tempdir,
228
'--homedir', self.tempdir,
162
229
'--force-mdc',
163
'--quiet',
164
'--no-use-agent']
165
230
'--quiet']
231
# Only GPG version 1 has the --no-use-agent option.
232
if self.gpg == b"gpg" or self.gpg.endswith(b"/gpg"):
233
self.gnupgargs.append("--no-use-agent")
234
166
235
def __enter__(self):
167
236
return self
168
237
169
238
def __exit__(self, exc_type, exc_value, traceback):
170
239
self._cleanup()
171
240
return False
172
241
173
242
def __del__(self):
174
243
self._cleanup()
175
244
176
245
def _cleanup(self):
177
246
if self.tempdir is not None:
178
247
# Delete contents of tempdir
179
248
for root, dirs, files in os.walk(self.tempdir,
180
topdown = False):
249
topdown=False):
181
250
for filename in files:
182
251
os.remove(os.path.join(root, filename))
183
252
for dirname in dirs:
185
254
# Remove tempdir
186
255
os.rmdir(self.tempdir)
187
256
self.tempdir = None
188
257
189
258
def password_encode(self, password):
190
259
# Passphrase can not be empty and can not contain newlines or
191
260
# NUL bytes. So we prefix it and hex encode it.
196
265
.replace(b"\n", b"\\n")
197
266
.replace(b"\0", b"\\x00"))
198
267
return encoded
199
268
200
269
def encrypt(self, data, password):
201
270
passphrase = self.password_encode(password)
202
271
with tempfile.NamedTemporaryFile(
203
272
dir=self.tempdir) as passfile:
204
273
passfile.write(passphrase)
205
274
passfile.flush()
206
proc = subprocess.Popen(['gpg', '--symmetric',
275
proc = subprocess.Popen([self.gpg, '--symmetric',
207
276
'--passphrase-file',
208
277
passfile.name]
209
278
+ self.gnupgargs,
210
stdin = subprocess.PIPE,
211
stdout = subprocess.PIPE,
212
stderr = subprocess.PIPE)
213
ciphertext, err = proc.communicate(input = data)
279
stdin=subprocess.PIPE,
280
stdout=subprocess.PIPE,
281
stderr=subprocess.PIPE)
282
ciphertext, err = proc.communicate(input=data)
214
283
if proc.returncode != 0:
215
284
raise PGPError(err)
216
285
return ciphertext
217
286
218
287
def decrypt(self, data, password):
219
288
passphrase = self.password_encode(password)
220
289
with tempfile.NamedTemporaryFile(
221
dir = self.tempdir) as passfile:
290
dir=self.tempdir) as passfile:
222
291
passfile.write(passphrase)
223
292
passfile.flush()
224
proc = subprocess.Popen(['gpg', '--decrypt',
293
proc = subprocess.Popen([self.gpg, '--decrypt',
225
294
'--passphrase-file',
226
295
passfile.name]
227
296
+ self.gnupgargs,
228
stdin = subprocess.PIPE,
229
stdout = subprocess.PIPE,
230
stderr = subprocess.PIPE)
231
decrypted_plaintext, err = proc.communicate(input = data)
297
stdin=subprocess.PIPE,
298
stdout=subprocess.PIPE,
299
stderr=subprocess.PIPE)
300
decrypted_plaintext, err = proc.communicate(input=data)
232
301
if proc.returncode != 0:
233
302
raise PGPError(err)
234
303
return decrypted_plaintext
235
304
236
305
306
# Pretend that we have an Avahi module
307
class avahi:
308
"""This isn't so much a class as it is a module-like namespace."""
309
IF_UNSPEC = -1 # avahi-common/address.h
310
PROTO_UNSPEC = -1 # avahi-common/address.h
311
PROTO_INET = 0 # avahi-common/address.h
312
PROTO_INET6 = 1 # avahi-common/address.h
313
DBUS_NAME = "org.freedesktop.Avahi"
314
DBUS_INTERFACE_ENTRY_GROUP = DBUS_NAME + ".EntryGroup"
315
DBUS_INTERFACE_SERVER = DBUS_NAME + ".Server"
316
DBUS_PATH_SERVER = "/"
317
318
@staticmethod
319
def string_array_to_txt_array(t):
320
return dbus.Array((dbus.ByteArray(s.encode("utf-8"))
321
for s in t), signature="ay")
322
ENTRY_GROUP_ESTABLISHED = 2 # avahi-common/defs.h
323
ENTRY_GROUP_COLLISION = 3 # avahi-common/defs.h
324
ENTRY_GROUP_FAILURE = 4 # avahi-common/defs.h
325
SERVER_INVALID = 0 # avahi-common/defs.h
326
SERVER_REGISTERING = 1 # avahi-common/defs.h
327
SERVER_RUNNING = 2 # avahi-common/defs.h
328
SERVER_COLLISION = 3 # avahi-common/defs.h
329
SERVER_FAILURE = 4 # avahi-common/defs.h
330
331
237
332
class AvahiError(Exception):
238
333
def __init__(self, value, *args, **kwargs):
239
334
self.value = value
249
344
pass
250
345
251
346
252
class AvahiService(object):
347
class AvahiService:
253
348
"""An Avahi (Zeroconf) service.
254
349
255
350
Attributes:
256
351
interface: integer; avahi.IF_UNSPEC or an interface index.
257
352
Used to optionally bind to the specified interface.
269
364
server: D-Bus Server
270
365
bus: dbus.SystemBus()
271
366
"""
272
367
273
368
def __init__(self,
274
interface = avahi.IF_UNSPEC,
275
name = None,
276
servicetype = None,
277
port = None,
278
TXT = None,
279
domain = "",
280
host = "",
281
max_renames = 32768,
282
protocol = avahi.PROTO_UNSPEC,
283
bus = None):
369
interface=avahi.IF_UNSPEC,
370
name=None,
371
servicetype=None,
372
port=None,
373
TXT=None,
374
domain="",
375
host="",
376
max_renames=32768,
377
protocol=avahi.PROTO_UNSPEC,
378
bus=None):
284
379
self.interface = interface
285
380
self.name = name
286
381
self.type = servicetype
295
390
self.server = None
296
391
self.bus = bus
297
392
self.entry_group_state_changed_match = None
298
393
299
394
def rename(self, remove=True):
300
395
"""Derived from the Avahi example code"""
301
396
if self.rename_count >= self.max_renames:
321
416
logger.critical("D-Bus Exception", exc_info=error)
322
417
self.cleanup()
323
418
os._exit(1)
324
419
325
420
def remove(self):
326
421
"""Derived from the Avahi example code"""
327
422
if self.entry_group_state_changed_match is not None:
329
424
self.entry_group_state_changed_match = None
330
425
if self.group is not None:
331
426
self.group.Reset()
332
427
333
428
def add(self):
334
429
"""Derived from the Avahi example code"""
335
430
self.remove()
352
447
dbus.UInt16(self.port),
353
448
avahi.string_array_to_txt_array(self.TXT))
354
449
self.group.Commit()
355
450
356
451
def entry_group_state_changed(self, state, error):
357
452
"""Derived from the Avahi example code"""
358
453
logger.debug("Avahi entry group state change: %i", state)
359
454
360
455
if state == avahi.ENTRY_GROUP_ESTABLISHED:
361
456
logger.debug("Zeroconf service established.")
362
457
elif state == avahi.ENTRY_GROUP_COLLISION:
366
461
logger.critical("Avahi: Error in group state changed %s",
367
462
str(error))
368
463
raise AvahiGroupError("State changed: {!s}".format(error))
369
464
370
465
def cleanup(self):
371
466
"""Derived from the Avahi example code"""
372
467
if self.group is not None:
377
472
pass
378
473
self.group = None
379
474
self.remove()
380
475
381
476
def server_state_changed(self, state, error=None):
382
477
"""Derived from the Avahi example code"""
383
478
logger.debug("Avahi server state change: %i", state)
412
507
logger.debug("Unknown state: %r", state)
413
508
else:
414
509
logger.debug("Unknown state: %r: %r", state, error)
415
510
416
511
def activate(self):
417
512
"""Derived from the Avahi example code"""
418
513
if self.server is None:
429
524
class AvahiServiceToSyslog(AvahiService):
430
525
def rename(self, *args, **kwargs):
431
526
"""Add the new name to the syslog messages"""
432
ret = AvahiService.rename(self, *args, **kwargs)
527
ret = super(AvahiServiceToSyslog, self).rename(*args, **kwargs)
433
528
syslogger.setFormatter(logging.Formatter(
434
529
'Mandos ({}) [%(process)d]: %(levelname)s: %(message)s'
435
530
.format(self.name)))
436
531
return ret
437
532
533
534
# Pretend that we have a GnuTLS module
535
class gnutls:
536
"""This isn't so much a class as it is a module-like namespace."""
537
538
library = ctypes.util.find_library("gnutls")
539
if library is None:
540
library = ctypes.util.find_library("gnutls-deb0")
541
_library = ctypes.cdll.LoadLibrary(library)
542
del library
543
544
# Unless otherwise indicated, the constants and types below are
545
# all from the gnutls/gnutls.h C header file.
546
547
# Constants
548
E_SUCCESS = 0
549
E_INTERRUPTED = -52
550
E_AGAIN = -28
551
CRT_OPENPGP = 2
552
CRT_RAWPK = 3
553
CLIENT = 2
554
SHUT_RDWR = 0
555
CRD_CERTIFICATE = 1
556
E_NO_CERTIFICATE_FOUND = -49
557
X509_FMT_DER = 0
558
NO_TICKETS = 1<<10
559
ENABLE_RAWPK = 1<<18
560
CTYPE_PEERS = 3
561
KEYID_USE_SHA256 = 1 # gnutls/x509.h
562
OPENPGP_FMT_RAW = 0 # gnutls/openpgp.h
563
564
# Types
565
class session_int(ctypes.Structure):
566
_fields_ = []
567
session_t = ctypes.POINTER(session_int)
568
569
class certificate_credentials_st(ctypes.Structure):
570
_fields_ = []
571
certificate_credentials_t = ctypes.POINTER(
572
certificate_credentials_st)
573
certificate_type_t = ctypes.c_int
574
575
class datum_t(ctypes.Structure):
576
_fields_ = [('data', ctypes.POINTER(ctypes.c_ubyte)),
577
('size', ctypes.c_uint)]
578
579
class openpgp_crt_int(ctypes.Structure):
580
_fields_ = []
581
openpgp_crt_t = ctypes.POINTER(openpgp_crt_int)
582
openpgp_crt_fmt_t = ctypes.c_int # gnutls/openpgp.h
583
log_func = ctypes.CFUNCTYPE(None, ctypes.c_int, ctypes.c_char_p)
584
credentials_type_t = ctypes.c_int
585
transport_ptr_t = ctypes.c_void_p
586
close_request_t = ctypes.c_int
587
588
# Exceptions
589
class Error(Exception):
590
def __init__(self, message=None, code=None, args=()):
591
# Default usage is by a message string, but if a return
592
# code is passed, convert it to a string with
593
# gnutls.strerror()
594
self.code = code
595
if message is None and code is not None:
596
message = gnutls.strerror(code)
597
return super(gnutls.Error, self).__init__(
598
message, *args)
599
600
class CertificateSecurityError(Error):
601
pass
602
603
# Classes
604
class Credentials:
605
def __init__(self):
606
self._c_object = gnutls.certificate_credentials_t()
607
gnutls.certificate_allocate_credentials(
608
ctypes.byref(self._c_object))
609
self.type = gnutls.CRD_CERTIFICATE
610
611
def __del__(self):
612
gnutls.certificate_free_credentials(self._c_object)
613
614
class ClientSession:
615
def __init__(self, socket, credentials=None):
616
self._c_object = gnutls.session_t()
617
gnutls_flags = gnutls.CLIENT
618
if gnutls.check_version(b"3.5.6"):
619
gnutls_flags |= gnutls.NO_TICKETS
620
if gnutls.has_rawpk:
621
gnutls_flags |= gnutls.ENABLE_RAWPK
622
gnutls.init(ctypes.byref(self._c_object), gnutls_flags)
623
del gnutls_flags
624
gnutls.set_default_priority(self._c_object)
625
gnutls.transport_set_ptr(self._c_object, socket.fileno())
626
gnutls.handshake_set_private_extensions(self._c_object,
627
True)
628
self.socket = socket
629
if credentials is None:
630
credentials = gnutls.Credentials()
631
gnutls.credentials_set(self._c_object, credentials.type,
632
ctypes.cast(credentials._c_object,
633
ctypes.c_void_p))
634
self.credentials = credentials
635
636
def __del__(self):
637
gnutls.deinit(self._c_object)
638
639
def handshake(self):
640
return gnutls.handshake(self._c_object)
641
642
def send(self, data):
643
data = bytes(data)
644
data_len = len(data)
645
while data_len > 0:
646
data_len -= gnutls.record_send(self._c_object,
647
data[-data_len:],
648
data_len)
649
650
def bye(self):
651
return gnutls.bye(self._c_object, gnutls.SHUT_RDWR)
652
653
# Error handling functions
654
def _error_code(result):
655
"""A function to raise exceptions on errors, suitable
656
for the 'restype' attribute on ctypes functions"""
657
if result >= 0:
658
return result
659
if result == gnutls.E_NO_CERTIFICATE_FOUND:
660
raise gnutls.CertificateSecurityError(code=result)
661
raise gnutls.Error(code=result)
662
663
def _retry_on_error(result, func, arguments):
664
"""A function to retry on some errors, suitable
665
for the 'errcheck' attribute on ctypes functions"""
666
while result < 0:
667
if result not in (gnutls.E_INTERRUPTED, gnutls.E_AGAIN):
668
return _error_code(result)
669
result = func(*arguments)
670
return result
671
672
# Unless otherwise indicated, the function declarations below are
673
# all from the gnutls/gnutls.h C header file.
674
675
# Functions
676
priority_set_direct = _library.gnutls_priority_set_direct
677
priority_set_direct.argtypes = [session_t, ctypes.c_char_p,
678
ctypes.POINTER(ctypes.c_char_p)]
679
priority_set_direct.restype = _error_code
680
681
init = _library.gnutls_init
682
init.argtypes = [ctypes.POINTER(session_t), ctypes.c_int]
683
init.restype = _error_code
684
685
set_default_priority = _library.gnutls_set_default_priority
686
set_default_priority.argtypes = [session_t]
687
set_default_priority.restype = _error_code
688
689
record_send = _library.gnutls_record_send
690
record_send.argtypes = [session_t, ctypes.c_void_p,
691
ctypes.c_size_t]
692
record_send.restype = ctypes.c_ssize_t
693
record_send.errcheck = _retry_on_error
694
695
certificate_allocate_credentials = (
696
_library.gnutls_certificate_allocate_credentials)
697
certificate_allocate_credentials.argtypes = [
698
ctypes.POINTER(certificate_credentials_t)]
699
certificate_allocate_credentials.restype = _error_code
700
701
certificate_free_credentials = (
702
_library.gnutls_certificate_free_credentials)
703
certificate_free_credentials.argtypes = [
704
certificate_credentials_t]
705
certificate_free_credentials.restype = None
706
707
handshake_set_private_extensions = (
708
_library.gnutls_handshake_set_private_extensions)
709
handshake_set_private_extensions.argtypes = [session_t,
710
ctypes.c_int]
711
handshake_set_private_extensions.restype = None
712
713
credentials_set = _library.gnutls_credentials_set
714
credentials_set.argtypes = [session_t, credentials_type_t,
715
ctypes.c_void_p]
716
credentials_set.restype = _error_code
717
718
strerror = _library.gnutls_strerror
719
strerror.argtypes = [ctypes.c_int]
720
strerror.restype = ctypes.c_char_p
721
722
certificate_type_get = _library.gnutls_certificate_type_get
723
certificate_type_get.argtypes = [session_t]
724
certificate_type_get.restype = _error_code
725
726
certificate_get_peers = _library.gnutls_certificate_get_peers
727
certificate_get_peers.argtypes = [session_t,
728
ctypes.POINTER(ctypes.c_uint)]
729
certificate_get_peers.restype = ctypes.POINTER(datum_t)
730
731
global_set_log_level = _library.gnutls_global_set_log_level
732
global_set_log_level.argtypes = [ctypes.c_int]
733
global_set_log_level.restype = None
734
735
global_set_log_function = _library.gnutls_global_set_log_function
736
global_set_log_function.argtypes = [log_func]
737
global_set_log_function.restype = None
738
739
deinit = _library.gnutls_deinit
740
deinit.argtypes = [session_t]
741
deinit.restype = None
742
743
handshake = _library.gnutls_handshake
744
handshake.argtypes = [session_t]
745
handshake.restype = _error_code
746
handshake.errcheck = _retry_on_error
747
748
transport_set_ptr = _library.gnutls_transport_set_ptr
749
transport_set_ptr.argtypes = [session_t, transport_ptr_t]
750
transport_set_ptr.restype = None
751
752
bye = _library.gnutls_bye
753
bye.argtypes = [session_t, close_request_t]
754
bye.restype = _error_code
755
bye.errcheck = _retry_on_error
756
757
check_version = _library.gnutls_check_version
758
check_version.argtypes = [ctypes.c_char_p]
759
check_version.restype = ctypes.c_char_p
760
761
_need_version = b"3.3.0"
762
if check_version(_need_version) is None:
763
raise self.Error("Needs GnuTLS {} or later"
764
.format(_need_version))
765
766
_tls_rawpk_version = b"3.6.6"
767
has_rawpk = bool(check_version(_tls_rawpk_version))
768
769
if has_rawpk:
770
# Types
771
class pubkey_st(ctypes.Structure):
772
_fields = []
773
pubkey_t = ctypes.POINTER(pubkey_st)
774
775
x509_crt_fmt_t = ctypes.c_int
776
777
# All the function declarations below are from gnutls/abstract.h
778
pubkey_init = _library.gnutls_pubkey_init
779
pubkey_init.argtypes = [ctypes.POINTER(pubkey_t)]
780
pubkey_init.restype = _error_code
781
782
pubkey_import = _library.gnutls_pubkey_import
783
pubkey_import.argtypes = [pubkey_t, ctypes.POINTER(datum_t),
784
x509_crt_fmt_t]
785
pubkey_import.restype = _error_code
786
787
pubkey_get_key_id = _library.gnutls_pubkey_get_key_id
788
pubkey_get_key_id.argtypes = [pubkey_t, ctypes.c_int,
789
ctypes.POINTER(ctypes.c_ubyte),
790
ctypes.POINTER(ctypes.c_size_t)]
791
pubkey_get_key_id.restype = _error_code
792
793
pubkey_deinit = _library.gnutls_pubkey_deinit
794
pubkey_deinit.argtypes = [pubkey_t]
795
pubkey_deinit.restype = None
796
else:
797
# All the function declarations below are from gnutls/openpgp.h
798
799
openpgp_crt_init = _library.gnutls_openpgp_crt_init
800
openpgp_crt_init.argtypes = [ctypes.POINTER(openpgp_crt_t)]
801
openpgp_crt_init.restype = _error_code
802
803
openpgp_crt_import = _library.gnutls_openpgp_crt_import
804
openpgp_crt_import.argtypes = [openpgp_crt_t,
805
ctypes.POINTER(datum_t),
806
openpgp_crt_fmt_t]
807
openpgp_crt_import.restype = _error_code
808
809
openpgp_crt_verify_self = _library.gnutls_openpgp_crt_verify_self
810
openpgp_crt_verify_self.argtypes = [openpgp_crt_t, ctypes.c_uint,
811
ctypes.POINTER(ctypes.c_uint)]
812
openpgp_crt_verify_self.restype = _error_code
813
814
openpgp_crt_deinit = _library.gnutls_openpgp_crt_deinit
815
openpgp_crt_deinit.argtypes = [openpgp_crt_t]
816
openpgp_crt_deinit.restype = None
817
818
openpgp_crt_get_fingerprint = (
819
_library.gnutls_openpgp_crt_get_fingerprint)
820
openpgp_crt_get_fingerprint.argtypes = [openpgp_crt_t,
821
ctypes.c_void_p,
822
ctypes.POINTER(
823
ctypes.c_size_t)]
824
openpgp_crt_get_fingerprint.restype = _error_code
825
826
if check_version(b"3.6.4"):
827
certificate_type_get2 = _library.gnutls_certificate_type_get2
828
certificate_type_get2.argtypes = [session_t, ctypes.c_int]
829
certificate_type_get2.restype = _error_code
830
831
# Remove non-public functions
832
del _error_code, _retry_on_error
833
834
438
835
def call_pipe(connection, # : multiprocessing.Connection
439
836
func, *args, **kwargs):
440
837
"""This function is meant to be called by multiprocessing.Process
441
838
442
839
This function runs func(*args, **kwargs), and writes the resulting
443
840
return value on the provided multiprocessing.Connection.
444
841
"""
445
842
connection.send(func(*args, **kwargs))
446
843
connection.close()
447
844
448
class Client(object):
845
846
class Client:
449
847
"""A representation of a client host served by this server.
450
848
451
849
Attributes:
452
850
approved: bool(); 'None' if not yet approved/disapproved
453
851
approval_delay: datetime.timedelta(); Time to wait for approval
454
852
approval_duration: datetime.timedelta(); Duration of one approval
455
checker: subprocess.Popen(); a running checker process used
456
to see if the client lives.
457
'None' if no process is running.
458
checker_callback_tag: a gobject event source tag, or None
853
checker: multiprocessing.Process(); a running checker process used
854
to see if the client lives. 'None' if no process is
855
running.
856
checker_callback_tag: a GLib event source tag, or None
459
857
checker_command: string; External command which is run to check
460
858
if client lives. %() expansions are done at
461
859
runtime with vars(self) as dict, so that for
462
860
instance %(name)s can be used in the command.
463
checker_initiator_tag: a gobject event source tag, or None
861
checker_initiator_tag: a GLib event source tag, or None
464
862
created: datetime.datetime(); (UTC) object creation
465
863
client_structure: Object describing what attributes a client has
466
864
and is used for storing the client at exit
467
865
current_checker_command: string; current running checker_command
468
disable_initiator_tag: a gobject event source tag, or None
866
disable_initiator_tag: a GLib event source tag, or None
469
867
enabled: bool()
470
868
fingerprint: string (40 or 32 hexadecimal digits); used to
471
uniquely identify the client
869
uniquely identify an OpenPGP client
870
key_id: string (64 hexadecimal digits); used to uniquely identify
871
a client using raw public keys
472
872
host: string; available for use by the checker command
473
873
interval: datetime.timedelta(); How often to start a new checker
474
874
last_approval_request: datetime.datetime(); (UTC) or None
490
890
disabled, or None
491
891
server_settings: The server_settings dict from main()
492
892
"""
493
893
494
894
runtime_expansions = ("approval_delay", "approval_duration",
495
"created", "enabled", "expires",
895
"created", "enabled", "expires", "key_id",
496
896
"fingerprint", "host", "interval",
497
897
"last_approval_request", "last_checked_ok",
498
898
"last_enabled", "name", "timeout")
507
907
"approved_by_default": "True",
508
908
"enabled": "True",
509
909
}
510
910
511
911
@staticmethod
512
912
def config_parser(config):
513
913
"""Construct a new dict of client settings of this form:
520
920
for client_name in config.sections():
521
921
section = dict(config.items(client_name))
522
922
client = settings[client_name] = {}
523
923
524
924
client["host"] = section["host"]
525
925
# Reformat values from string types to Python types
526
926
client["approved_by_default"] = config.getboolean(
527
927
client_name, "approved_by_default")
528
928
client["enabled"] = config.getboolean(client_name,
529
929
"enabled")
530
531
# Uppercase and remove spaces from fingerprint for later
532
# comparison purposes with return value from the
533
# fingerprint() function
930
931
# Uppercase and remove spaces from key_id and fingerprint
932
# for later comparison purposes with return value from the
933
# key_id() and fingerprint() functions
934
client["key_id"] = (section.get("key_id", "").upper()
935
.replace(" ", ""))
534
936
client["fingerprint"] = (section["fingerprint"].upper()
535
937
.replace(" ", ""))
536
938
if "secret" in section:
537
client["secret"] = section["secret"].decode("base64")
939
client["secret"] = codecs.decode(section["secret"]
940
.encode("utf-8"),
941
"base64")
538
942
elif "secfile" in section:
539
943
with open(os.path.expanduser(os.path.expandvars
540
944
(section["secfile"])),
555
959
client["last_approval_request"] = None
556
960
client["last_checked_ok"] = None
557
961
client["last_checker_status"] = -2
558
962
559
963
return settings
560
561
def __init__(self, settings, name = None, server_settings=None):
964
965
def __init__(self, settings, name=None, server_settings=None):
562
966
self.name = name
563
967
if server_settings is None:
564
968
server_settings = {}
566
970
# adding all client settings
567
971
for setting, value in settings.items():
568
972
setattr(self, setting, value)
569
973
570
974
if self.enabled:
571
975
if not hasattr(self, "last_enabled"):
572
976
self.last_enabled = datetime.datetime.utcnow()
576
980
else:
577
981
self.last_enabled = None
578
982
self.expires = None
579
983
580
984
logger.debug("Creating client %r", self.name)
985
logger.debug(" Key ID: %s", self.key_id)
581
986
logger.debug(" Fingerprint: %s", self.fingerprint)
582
987
self.created = settings.get("created",
583
988
datetime.datetime.utcnow())
584
989
585
990
# attributes specific for this server instance
586
991
self.checker = None
587
992
self.checker_initiator_tag = None
593
998
self.changedstate = multiprocessing_manager.Condition(
594
999
multiprocessing_manager.Lock())
595
1000
self.client_structure = [attr
596
for attr in self.__dict__.iterkeys()
1001
for attr in self.__dict__.keys()
597
1002
if not attr.startswith("_")]
598
1003
self.client_structure.append("client_structure")
599
1004
600
1005
for name, t in inspect.getmembers(
601
1006
type(self), lambda obj: isinstance(obj, property)):
602
1007
if not name.startswith("_"):
603
1008
self.client_structure.append(name)
604
1009
605
1010
# Send notice to process children that client state has changed
606
1011
def send_changedstate(self):
607
1012
with self.changedstate:
608
1013
self.changedstate.notify_all()
609
1014
610
1015
def enable(self):
611
1016
"""Start this client's checker and timeout hooks"""
612
1017
if getattr(self, "enabled", False):
617
1022
self.last_enabled = datetime.datetime.utcnow()
618
1023
self.init_checker()
619
1024
self.send_changedstate()
620
1025
621
1026
def disable(self, quiet=True):
622
1027
"""Disable this client."""
623
1028
if not getattr(self, "enabled", False):
625
1030
if not quiet:
626
1031
logger.info("Disabling client %s", self.name)
627
1032
if getattr(self, "disable_initiator_tag", None) is not None:
628
gobject.source_remove(self.disable_initiator_tag)
1033
GLib.source_remove(self.disable_initiator_tag)
629
1034
self.disable_initiator_tag = None
630
1035
self.expires = None
631
1036
if getattr(self, "checker_initiator_tag", None) is not None:
632
gobject.source_remove(self.checker_initiator_tag)
1037
GLib.source_remove(self.checker_initiator_tag)
633
1038
self.checker_initiator_tag = None
634
1039
self.stop_checker()
635
1040
self.enabled = False
636
1041
if not quiet:
637
1042
self.send_changedstate()
638
# Do not run this again if called by a gobject.timeout_add
1043
# Do not run this again if called by a GLib.timeout_add
639
1044
return False
640
1045
641
1046
def __del__(self):
642
1047
self.disable()
643
1048
644
1049
def init_checker(self):
645
1050
# Schedule a new checker to be started an 'interval' from now,
646
1051
# and every interval from then on.
647
1052
if self.checker_initiator_tag is not None:
648
gobject.source_remove(self.checker_initiator_tag)
649
self.checker_initiator_tag = gobject.timeout_add(
650
int(self.interval.total_seconds() * 1000),
1053
GLib.source_remove(self.checker_initiator_tag)
1054
self.checker_initiator_tag = GLib.timeout_add(
1055
random.randrange(int(self.interval.total_seconds() * 1000
1056
+ 1)),
651
1057
self.start_checker)
652
1058
# Schedule a disable() when 'timeout' has passed
653
1059
if self.disable_initiator_tag is not None:
654
gobject.source_remove(self.disable_initiator_tag)
655
self.disable_initiator_tag = gobject.timeout_add(
1060
GLib.source_remove(self.disable_initiator_tag)
1061
self.disable_initiator_tag = GLib.timeout_add(
656
1062
int(self.timeout.total_seconds() * 1000), self.disable)
657
1063
# Also start a new checker *right now*.
658
1064
self.start_checker()
659
1065
660
1066
def checker_callback(self, source, condition, connection,
661
1067
command):
662
1068
"""The checker has completed, so take appropriate actions."""
663
self.checker_callback_tag = None
664
self.checker = None
665
1069
# Read return code from connection (see call_pipe)
666
1070
returncode = connection.recv()
667
1071
connection.close()
668
1072
if self.checker is not None:
1073
self.checker.join()
1074
self.checker_callback_tag = None
1075
self.checker = None
1076
669
1077
if returncode >= 0:
670
1078
self.last_checker_status = returncode
671
1079
self.last_checker_signal = None
681
1089
logger.warning("Checker for %(name)s crashed?",
682
1090
vars(self))
683
1091
return False
684
1092
685
1093
def checked_ok(self):
686
1094
"""Assert that the client has been seen, alive and well."""
687
1095
self.last_checked_ok = datetime.datetime.utcnow()
688
1096
self.last_checker_status = 0
689
1097
self.last_checker_signal = None
690
1098
self.bump_timeout()
691
1099
692
1100
def bump_timeout(self, timeout=None):
693
1101
"""Bump up the timeout for this client."""
694
1102
if timeout is None:
695
1103
timeout = self.timeout
696
1104
if self.disable_initiator_tag is not None:
697
gobject.source_remove(self.disable_initiator_tag)
1105
GLib.source_remove(self.disable_initiator_tag)
698
1106
self.disable_initiator_tag = None
699
1107
if getattr(self, "enabled", False):
700
self.disable_initiator_tag = gobject.timeout_add(
1108
self.disable_initiator_tag = GLib.timeout_add(
701
1109
int(timeout.total_seconds() * 1000), self.disable)
702
1110
self.expires = datetime.datetime.utcnow() + timeout
703
1111
704
1112
def need_approval(self):
705
1113
self.last_approval_request = datetime.datetime.utcnow()
706
1114
707
1115
def start_checker(self):
708
1116
"""Start a new checker subprocess if one is not running.
709
1117
710
1118
If a checker already exists, leave it running and do
711
1119
nothing."""
712
1120
# The reason for not killing a running checker is that if we
717
1125
# checkers alone, the checker would have to take more time
718
1126
# than 'timeout' for the client to be disabled, which is as it
719
1127
# should be.
720
1128
721
1129
if self.checker is not None and not self.checker.is_alive():
722
1130
logger.warning("Checker was not alive; joining")
723
1131
self.checker.join()
726
1134
if self.checker is None:
727
1135
# Escape attributes for the shell
728
1136
escaped_attrs = {
729
attr: re.escape(str(getattr(self, attr)))
730
for attr in self.runtime_expansions }
1137
attr: shlex.quote(str(getattr(self, attr)))
1138
for attr in self.runtime_expansions}
731
1139
try:
732
1140
command = self.checker_command % escaped_attrs
733
1141
except TypeError as error:
745
1153
# The exception is when not debugging but nevertheless
746
1154
# running in the foreground; use the previously
747
1155
# created wnull.
748
popen_args = { "close_fds": True,
749
"shell": True,
750
"cwd": "/" }
1156
popen_args = {"close_fds": True,
1157
"shell": True,
1158
"cwd": "/"}
751
1159
if (not self.server_settings["debug"]
752
1160
and self.server_settings["foreground"]):
753
1161
popen_args.update({"stdout": wnull,
754
"stderr": wnull })
755
pipe = multiprocessing.Pipe(duplex = False)
1162
"stderr": wnull})
1163
pipe = multiprocessing.Pipe(duplex=False)
756
1164
self.checker = multiprocessing.Process(
757
target = call_pipe,
758
args = (pipe[1], subprocess.call, command),
759
kwargs = popen_args)
1165
target=call_pipe,
1166
args=(pipe[1], subprocess.call, command),
1167
kwargs=popen_args)
760
1168
self.checker.start()
761
self.checker_callback_tag = gobject.io_add_watch(
762
pipe[0].fileno(), gobject.IO_IN,
1169
self.checker_callback_tag = GLib.io_add_watch(
1170
GLib.IOChannel.unix_new(pipe[0].fileno()),
1171
GLib.PRIORITY_DEFAULT, GLib.IO_IN,
763
1172
self.checker_callback, pipe[0], command)
764
# Re-run this periodically if run by gobject.timeout_add
1173
# Re-run this periodically if run by GLib.timeout_add
765
1174
return True
766
1175
767
1176
def stop_checker(self):
768
1177
"""Force the checker process, if any, to stop."""
769
1178
if self.checker_callback_tag:
770
gobject.source_remove(self.checker_callback_tag)
1179
GLib.source_remove(self.checker_callback_tag)
771
1180
self.checker_callback_tag = None
772
1181
if getattr(self, "checker", None) is None:
773
1182
return
782
1191
byte_arrays=False):
783
1192
"""Decorators for marking methods of a DBusObjectWithProperties to
784
1193
become properties on the D-Bus.
785
1194
786
1195
The decorated method will be called with no arguments by "Get"
787
1196
and with one argument by "Set".
788
1197
789
1198
The parameters, where they are supported, are the same as
790
1199
dbus.service.method, except there is only "signature", since the
791
1200
type from Get() and the type sent to Set() is the same.
795
1204
if byte_arrays and signature != "ay":
796
1205
raise ValueError("Byte arrays not supported for non-'ay'"
797
1206
" signature {!r}".format(signature))
798
1207
799
1208
def decorator(func):
800
1209
func._dbus_is_property = True
801
1210
func._dbus_interface = dbus_interface
804
1213
func._dbus_name = func.__name__
805
1214
if func._dbus_name.endswith("_dbus_property"):
806
1215
func._dbus_name = func._dbus_name[:-14]
807
func._dbus_get_args_options = {'byte_arrays': byte_arrays }
1216
func._dbus_get_args_options = {'byte_arrays': byte_arrays}
808
1217
return func
809
1218
810
1219
return decorator
811
1220
812
1221
813
1222
def dbus_interface_annotations(dbus_interface):
814
1223
"""Decorator for marking functions returning interface annotations
815
1224
816
1225
Usage:
817
1226
818
1227
@dbus_interface_annotations("org.example.Interface")
819
1228
def _foo(self): # Function name does not matter
820
1229
return {"org.freedesktop.DBus.Deprecated": "true",
821
1230
"org.freedesktop.DBus.Property.EmitsChangedSignal":
822
1231
"false"}
823
1232
"""
824
1233
825
1234
def decorator(func):
826
1235
func._dbus_is_interface = True
827
1236
func._dbus_interface = dbus_interface
828
1237
func._dbus_name = dbus_interface
829
1238
return func
830
1239
831
1240
return decorator
832
1241
833
1242
834
1243
def dbus_annotations(annotations):
835
1244
"""Decorator to annotate D-Bus methods, signals or properties
836
1245
Usage:
837
1246
838
1247
@dbus_annotations({"org.freedesktop.DBus.Deprecated": "true",
839
1248
"org.freedesktop.DBus.Property."
840
1249
"EmitsChangedSignal": "false"})
842
1251
access="r")
843
1252
def Property_dbus_property(self):
844
1253
return dbus.Boolean(False)
845
1254
846
1255
See also the DBusObjectWithAnnotations class.
847
1256
"""
848
1257
849
1258
def decorator(func):
850
1259
func._dbus_annotations = annotations
851
1260
return func
852
1261
853
1262
return decorator
854
1263
855
1264
873
1282
874
1283
class DBusObjectWithAnnotations(dbus.service.Object):
875
1284
"""A D-Bus object with annotations.
876
1285
877
1286
Classes inheriting from this can use the dbus_annotations
878
1287
decorator to add annotations to methods or signals.
879
1288
"""
880
1289
881
1290
@staticmethod
882
1291
def _is_dbus_thing(thing):
883
1292
"""Returns a function testing if an attribute is a D-Bus thing
884
1293
885
1294
If called like _is_dbus_thing("method") it returns a function
886
1295
suitable for use as predicate to inspect.getmembers().
887
1296
"""
888
1297
return lambda obj: getattr(obj, "_dbus_is_{}".format(thing),
889
1298
False)
890
1299
891
1300
def _get_all_dbus_things(self, thing):
892
1301
"""Returns a generator of (name, attribute) pairs
893
1302
"""
896
1305
for cls in self.__class__.__mro__
897
1306
for name, athing in
898
1307
inspect.getmembers(cls, self._is_dbus_thing(thing)))
899
1308
900
1309
@dbus.service.method(dbus.INTROSPECTABLE_IFACE,
901
out_signature = "s",
902
path_keyword = 'object_path',
903
connection_keyword = 'connection')
1310
out_signature="s",
1311
path_keyword='object_path',
1312
connection_keyword='connection')
904
1313
def Introspect(self, object_path, connection):
905
1314
"""Overloading of standard D-Bus method.
906
1315
907
1316
Inserts annotation tags on methods and signals.
908
1317
"""
909
1318
xmlstring = dbus.service.Object.Introspect(self, object_path,
910
1319
connection)
911
1320
try:
912
1321
document = xml.dom.minidom.parseString(xmlstring)
913
1322
914
1323
for if_tag in document.getElementsByTagName("interface"):
915
1324
# Add annotation tags
916
1325
for typ in ("method", "signal"):
943
1352
if_tag.appendChild(ann_tag)
944
1353
# Fix argument name for the Introspect method itself
945
1354
if (if_tag.getAttribute("name")
946
== dbus.INTROSPECTABLE_IFACE):
1355
== dbus.INTROSPECTABLE_IFACE):
947
1356
for cn in if_tag.getElementsByTagName("method"):
948
1357
if cn.getAttribute("name") == "Introspect":
949
1358
for arg in cn.getElementsByTagName("arg"):
962
1371
963
1372
class DBusObjectWithProperties(DBusObjectWithAnnotations):
964
1373
"""A D-Bus object with properties.
965
1374
966
1375
Classes inheriting from this can use the dbus_service_property
967
1376
decorator to expose methods as D-Bus properties. It exposes the
968
1377
standard Get(), Set(), and GetAll() methods on the D-Bus.
969
1378
"""
970
1379
971
1380
def _get_dbus_property(self, interface_name, property_name):
972
1381
"""Returns a bound method if one exists which is a D-Bus
973
1382
property with the specified name and interface.
978
1387
if (value._dbus_name == property_name
979
1388
and value._dbus_interface == interface_name):
980
1389
return value.__get__(self)
981
1390
982
1391
# No such property
983
1392
raise DBusPropertyNotFound("{}:{}.{}".format(
984
1393
self.dbus_object_path, interface_name, property_name))
985
1394
986
1395
@classmethod
987
1396
def _get_all_interface_names(cls):
988
1397
"""Get a sequence of all interfaces supported by an object"""
991
1400
for x in (inspect.getmro(cls))
992
1401
for attr in dir(x))
993
1402
if name is not None)
994
1403
995
1404
@dbus.service.method(dbus.PROPERTIES_IFACE,
996
1405
in_signature="ss",
997
1406
out_signature="v")
1005
1414
if not hasattr(value, "variant_level"):
1006
1415
return value
1007
1416
return type(value)(value, variant_level=value.variant_level+1)
1008
1417
1009
1418
@dbus.service.method(dbus.PROPERTIES_IFACE, in_signature="ssv")
1010
1419
def Set(self, interface_name, property_name, value):
1011
1420
"""Standard D-Bus property Set() method, see D-Bus standard.
1020
1429
raise ValueError("Byte arrays not supported for non-"
1021
1430
"'ay' signature {!r}"
1022
1431
.format(prop._dbus_signature))
1023
value = dbus.ByteArray(b''.join(chr(byte)
1024
for byte in value))
1432
value = dbus.ByteArray(bytes(value))
1025
1433
prop(value)
1026
1434
1027
1435
@dbus.service.method(dbus.PROPERTIES_IFACE,
1028
1436
in_signature="s",
1029
1437
out_signature="a{sv}")
1030
1438
def GetAll(self, interface_name):
1031
1439
"""Standard D-Bus property GetAll() method, see D-Bus
1032
1440
standard.
1033
1441
1034
1442
Note: Will not include properties with access="write".
1035
1443
"""
1036
1444
properties = {}
1047
1455
properties[name] = value
1048
1456
continue
1049
1457
properties[name] = type(value)(
1050
value, variant_level = value.variant_level + 1)
1458
value, variant_level=value.variant_level + 1)
1051
1459
return dbus.Dictionary(properties, signature="sv")
1052
1460
1053
1461
@dbus.service.signal(dbus.PROPERTIES_IFACE, signature="sa{sv}as")
1054
1462
def PropertiesChanged(self, interface_name, changed_properties,
1055
1463
invalidated_properties):
1057
1465
standard.
1058
1466
"""
1059
1467
pass
1060
1468
1061
1469
@dbus.service.method(dbus.INTROSPECTABLE_IFACE,
1062
1470
out_signature="s",
1063
1471
path_keyword='object_path',
1064
1472
connection_keyword='connection')
1065
1473
def Introspect(self, object_path, connection):
1066
1474
"""Overloading of standard D-Bus method.
1067
1475
1068
1476
Inserts property tags and interface annotation tags.
1069
1477
"""
1070
1478
xmlstring = DBusObjectWithAnnotations.Introspect(self,
1072
1480
connection)
1073
1481
try:
1074
1482
document = xml.dom.minidom.parseString(xmlstring)
1075
1483
1076
1484
def make_tag(document, name, prop):
1077
1485
e = document.createElement("property")
1078
1486
e.setAttribute("name", name)
1079
1487
e.setAttribute("type", prop._dbus_signature)
1080
1488
e.setAttribute("access", prop._dbus_access)
1081
1489
return e
1082
1490
1083
1491
for if_tag in document.getElementsByTagName("interface"):
1084
1492
# Add property tags
1085
1493
for tag in (make_tag(document, name, prop)
1127
1535
exc_info=error)
1128
1536
return xmlstring
1129
1537
1538
1130
1539
try:
1131
1540
dbus.OBJECT_MANAGER_IFACE
1132
1541
except AttributeError:
1133
1542
dbus.OBJECT_MANAGER_IFACE = "org.freedesktop.DBus.ObjectManager"
1134
1543
1544
1135
1545
class DBusObjectWithObjectManager(DBusObjectWithAnnotations):
1136
1546
"""A D-Bus object with an ObjectManager.
1137
1547
1138
1548
Classes inheriting from this exposes the standard
1139
1549
GetManagedObjects call and the InterfacesAdded and
1140
1550
InterfacesRemoved signals on the standard
1141
1551
"org.freedesktop.DBus.ObjectManager" interface.
1142
1552
1143
1553
Note: No signals are sent automatically; they must be sent
1144
1554
manually.
1145
1555
"""
1146
1556
@dbus.service.method(dbus.OBJECT_MANAGER_IFACE,
1147
out_signature = "a{oa{sa{sv}}}")
1557
out_signature="a{oa{sa{sv}}}")
1148
1558
def GetManagedObjects(self):
1149
1559
"""This function must be overridden"""
1150
1560
raise NotImplementedError()
1151
1561
1152
1562
@dbus.service.signal(dbus.OBJECT_MANAGER_IFACE,
1153
signature = "oa{sa{sv}}")
1563
signature="oa{sa{sv}}")
1154
1564
def InterfacesAdded(self, object_path, interfaces_and_properties):
1155
1565
pass
1156
1157
@dbus.service.signal(dbus.OBJECT_MANAGER_IFACE, signature = "oas")
1566
1567
@dbus.service.signal(dbus.OBJECT_MANAGER_IFACE, signature="oas")
1158
1568
def InterfacesRemoved(self, object_path, interfaces):
1159
1569
pass
1160
1570
1161
1571
@dbus.service.method(dbus.INTROSPECTABLE_IFACE,
1162
out_signature = "s",
1163
path_keyword = 'object_path',
1164
connection_keyword = 'connection')
1572
out_signature="s",
1573
path_keyword='object_path',
1574
connection_keyword='connection')
1165
1575
def Introspect(self, object_path, connection):
1166
1576
"""Overloading of standard D-Bus method.
1167
1577
1168
1578
Override return argument name of GetManagedObjects to be
1169
1579
"objpath_interfaces_and_properties"
1170
1580
"""
1173
1583
connection)
1174
1584
try:
1175
1585
document = xml.dom.minidom.parseString(xmlstring)
1176
1586
1177
1587
for if_tag in document.getElementsByTagName("interface"):
1178
1588
# Fix argument name for the GetManagedObjects method
1179
1589
if (if_tag.getAttribute("name")
1180
== dbus.OBJECT_MANAGER_IFACE):
1590
== dbus.OBJECT_MANAGER_IFACE):
1181
1591
for cn in if_tag.getElementsByTagName("method"):
1182
1592
if (cn.getAttribute("name")
1183
1593
== "GetManagedObjects"):
1193
1603
except (AttributeError, xml.dom.DOMException,
1194
1604
xml.parsers.expat.ExpatError) as error:
1195
1605
logger.error("Failed to override Introspection method",
1196
exc_info = error)
1606
exc_info=error)
1197
1607
return xmlstring
1198
1608
1609
1199
1610
def datetime_to_dbus(dt, variant_level=0):
1200
1611
"""Convert a UTC datetime.datetime() to a D-Bus type."""
1201
1612
if dt is None:
1202
return dbus.String("", variant_level = variant_level)
1613
return dbus.String("", variant_level=variant_level)
1203
1614
return dbus.String(dt.isoformat(), variant_level=variant_level)
1204
1615
1205
1616
1208
1619
dbus.service.Object, it will add alternate D-Bus attributes with
1209
1620
interface names according to the "alt_interface_names" mapping.
1210
1621
Usage:
1211
1622
1212
1623
@alternate_dbus_interfaces({"org.example.Interface":
1213
1624
"net.example.AlternateInterface"})
1214
1625
class SampleDBusObject(dbus.service.Object):
1215
1626
@dbus.service.method("org.example.Interface")
1216
1627
def SampleDBusMethod():
1217
1628
pass
1218
1629
1219
1630
The above "SampleDBusMethod" on "SampleDBusObject" will be
1220
1631
reachable via two interfaces: "org.example.Interface" and
1221
1632
"net.example.AlternateInterface", the latter of which will have
1222
1633
its D-Bus annotation "org.freedesktop.DBus.Deprecated" set to
1223
1634
"true", unless "deprecate" is passed with a False value.
1224
1635
1225
1636
This works for methods and signals, and also for D-Bus properties
1226
1637
(from DBusObjectWithProperties) and interfaces (from the
1227
1638
dbus_interface_annotations decorator).
1228
1639
"""
1229
1640
1230
1641
def wrapper(cls):
1231
1642
for orig_interface_name, alt_interface_name in (
1232
1643
alt_interface_names.items()):
1247
1658
interface_names.add(alt_interface)
1248
1659
# Is this a D-Bus signal?
1249
1660
if getattr(attribute, "_dbus_is_signal", False):
1661
# Extract the original non-method undecorated
1662
# function by black magic
1250
1663
if sys.version_info.major == 2:
1251
# Extract the original non-method undecorated
1252
# function by black magic
1253
1664
nonmethod_func = (dict(
1254
1665
zip(attribute.func_code.co_freevars,
1255
1666
attribute.__closure__))
1256
1667
["func"].cell_contents)
1257
1668
else:
1258
nonmethod_func = attribute
1669
nonmethod_func = (dict(
1670
zip(attribute.__code__.co_freevars,
1671
attribute.__closure__))
1672
["func"].cell_contents)
1259
1673
# Create a new, but exactly alike, function
1260
1674
# object, and decorate it to be a new D-Bus signal
1261
1675
# with the alternate D-Bus interface name
1262
if sys.version_info.major == 2:
1263
new_function = types.FunctionType(
1264
nonmethod_func.func_code,
1265
nonmethod_func.func_globals,
1266
nonmethod_func.func_name,
1267
nonmethod_func.func_defaults,
1268
nonmethod_func.func_closure)
1269
else:
1270
new_function = types.FunctionType(
1271
nonmethod_func.__code__,
1272
nonmethod_func.__globals__,
1273
nonmethod_func.__name__,
1274
nonmethod_func.__defaults__,
1275
nonmethod_func.__closure__)
1676
new_function = copy_function(nonmethod_func)
1276
1677
new_function = (dbus.service.signal(
1277
1678
alt_interface,
1278
1679
attribute._dbus_signature)(new_function))
1282
1683
attribute._dbus_annotations)
1283
1684
except AttributeError:
1284
1685
pass
1686
1285
1687
# Define a creator of a function to call both the
1286
1688
# original and alternate functions, so both the
1287
1689
# original and alternate signals gets sent when
1290
1692
"""This function is a scope container to pass
1291
1693
func1 and func2 to the "call_both" function
1292
1694
outside of its arguments"""
1293
1695
1294
1696
@functools.wraps(func2)
1295
1697
def call_both(*args, **kwargs):
1296
1698
"""This function will emit two D-Bus
1297
1699
signals by calling func1 and func2"""
1298
1700
func1(*args, **kwargs)
1299
1701
func2(*args, **kwargs)
1300
# Make wrapper function look like a D-Bus signal
1702
# Make wrapper function look like a D-Bus
1703
# signal
1301
1704
for name, attr in inspect.getmembers(func2):
1302
1705
if name.startswith("_dbus_"):
1303
1706
setattr(call_both, name, attr)
1304
1707
1305
1708
return call_both
1306
1709
# Create the "call_both" function and add it to
1307
1710
# the class
1317
1720
alt_interface,
1318
1721
attribute._dbus_in_signature,
1319
1722
attribute._dbus_out_signature)
1320
(types.FunctionType(attribute.func_code,
1321
attribute.func_globals,
1322
attribute.func_name,
1323
attribute.func_defaults,
1324
attribute.func_closure)))
1723
(copy_function(attribute)))
1325
1724
# Copy annotations, if any
1326
1725
try:
1327
1726
attr[attrname]._dbus_annotations = dict(
1339
1738
attribute._dbus_access,
1340
1739
attribute._dbus_get_args_options
1341
1740
["byte_arrays"])
1342
(types.FunctionType(
1343
attribute.func_code,
1344
attribute.func_globals,
1345
attribute.func_name,
1346
attribute.func_defaults,
1347
attribute.func_closure)))
1741
(copy_function(attribute)))
1348
1742
# Copy annotations, if any
1349
1743
try:
1350
1744
attr[attrname]._dbus_annotations = dict(
1359
1753
# to the class.
1360
1754
attr[attrname] = (
1361
1755
dbus_interface_annotations(alt_interface)
1362
(types.FunctionType(attribute.func_code,
1363
attribute.func_globals,
1364
attribute.func_name,
1365
attribute.func_defaults,
1366
attribute.func_closure)))
1756
(copy_function(attribute)))
1367
1757
if deprecate:
1368
1758
# Deprecate all alternate interfaces
1369
iname="_AlternateDBusNames_interface_annotation{}"
1759
iname = "_AlternateDBusNames_interface_annotation{}"
1370
1760
for interface_name in interface_names:
1371
1761
1372
1762
@dbus_interface_annotations(interface_name)
1373
1763
def func(self):
1374
return { "org.freedesktop.DBus.Deprecated":
1375
"true" }
1764
return {"org.freedesktop.DBus.Deprecated":
1765
"true"}
1376
1766
# Find an unused name
1377
1767
for aname in (iname.format(i)
1378
1768
for i in itertools.count()):
1382
1772
if interface_names:
1383
1773
# Replace the class with a new subclass of it with
1384
1774
# methods, signals, etc. as created above.
1385
cls = type(b"{}Alternate".format(cls.__name__),
1386
(cls, ), attr)
1775
if sys.version_info.major == 2:
1776
cls = type(b"{}Alternate".format(cls.__name__),
1777
(cls, ), attr)
1778
else:
1779
cls = type("{}Alternate".format(cls.__name__),
1780
(cls, ), attr)
1387
1781
return cls
1388
1782
1389
1783
return wrapper
1390
1784
1391
1785
1393
1787
"se.bsnet.fukt.Mandos"})
1394
1788
class ClientDBus(Client, DBusObjectWithProperties):
1395
1789
"""A Client class using D-Bus
1396
1790
1397
1791
Attributes:
1398
1792
dbus_object_path: dbus.ObjectPath
1399
1793
bus: dbus.SystemBus()
1400
1794
"""
1401
1795
1402
1796
runtime_expansions = (Client.runtime_expansions
1403
1797
+ ("dbus_object_path", ))
1404
1798
1405
1799
_interface = "se.recompile.Mandos.Client"
1406
1800
1407
1801
# dbus.service.Object doesn't use super(), so we can't either.
1408
1409
def __init__(self, bus = None, *args, **kwargs):
1802
1803
def __init__(self, bus=None, *args, **kwargs):
1410
1804
self.bus = bus
1411
1805
Client.__init__(self, *args, **kwargs)
1412
1806
# Only now, when this client is initialized, can it show up on
1418
1812
"/clients/" + client_object_name)
1419
1813
DBusObjectWithProperties.__init__(self, self.bus,
1420
1814
self.dbus_object_path)
1421
1815
1422
1816
def notifychangeproperty(transform_func, dbus_name,
1423
1817
type_func=lambda x: x,
1424
1818
variant_level=1,
1426
1820
_interface=_interface):
1427
1821
""" Modify a variable so that it's a property which announces
1428
1822
its changes to DBus.
1429
1823
1430
1824
transform_fun: Function that takes a value and a variant_level
1431
1825
and transforms it to a D-Bus type.
1432
1826
dbus_name: D-Bus name of the variable
1435
1829
variant_level: D-Bus variant level. Default: 1
1436
1830
"""
1437
1831
attrname = "_{}".format(dbus_name)
1438
1832
1439
1833
def setter(self, value):
1440
1834
if hasattr(self, "dbus_object_path"):
1441
1835
if (not hasattr(self, attrname) or
1448
1842
else:
1449
1843
dbus_value = transform_func(
1450
1844
type_func(value),
1451
variant_level = variant_level)
1845
variant_level=variant_level)
1452
1846
self.PropertyChanged(dbus.String(dbus_name),
1453
1847
dbus_value)
1454
1848
self.PropertiesChanged(
1455
1849
_interface,
1456
dbus.Dictionary({ dbus.String(dbus_name):
1457
dbus_value }),
1850
dbus.Dictionary({dbus.String(dbus_name):
1851
dbus_value}),
1458
1852
dbus.Array())
1459
1853
setattr(self, attrname, value)
1460
1854
1461
1855
return property(lambda self: getattr(self, attrname), setter)
1462
1856
1463
1857
expires = notifychangeproperty(datetime_to_dbus, "Expires")
1464
1858
approvals_pending = notifychangeproperty(dbus.Boolean,
1465
1859
"ApprovalPending",
1466
type_func = bool)
1860
type_func=bool)
1467
1861
enabled = notifychangeproperty(dbus.Boolean, "Enabled")
1468
1862
last_enabled = notifychangeproperty(datetime_to_dbus,
1469
1863
"LastEnabled")
1470
1864
checker = notifychangeproperty(
1471
1865
dbus.Boolean, "CheckerRunning",
1472
type_func = lambda checker: checker is not None)
1866
type_func=lambda checker: checker is not None)
1473
1867
last_checked_ok = notifychangeproperty(datetime_to_dbus,
1474
1868
"LastCheckedOK")
1475
1869
last_checker_status = notifychangeproperty(dbus.Int16,
1480
1874
"ApprovedByDefault")
1481
1875
approval_delay = notifychangeproperty(
1482
1876
dbus.UInt64, "ApprovalDelay",
1483
type_func = lambda td: td.total_seconds() * 1000)
1877
type_func=lambda td: td.total_seconds() * 1000)
1484
1878
approval_duration = notifychangeproperty(
1485
1879
dbus.UInt64, "ApprovalDuration",
1486
type_func = lambda td: td.total_seconds() * 1000)
1880
type_func=lambda td: td.total_seconds() * 1000)
1487
1881
host = notifychangeproperty(dbus.String, "Host")
1488
1882
timeout = notifychangeproperty(
1489
1883
dbus.UInt64, "Timeout",
1490
type_func = lambda td: td.total_seconds() * 1000)
1884
type_func=lambda td: td.total_seconds() * 1000)
1491
1885
extended_timeout = notifychangeproperty(
1492
1886
dbus.UInt64, "ExtendedTimeout",
1493
type_func = lambda td: td.total_seconds() * 1000)
1887
type_func=lambda td: td.total_seconds() * 1000)
1494
1888
interval = notifychangeproperty(
1495
1889
dbus.UInt64, "Interval",
1496
type_func = lambda td: td.total_seconds() * 1000)
1890
type_func=lambda td: td.total_seconds() * 1000)
1497
1891
checker_command = notifychangeproperty(dbus.String, "Checker")
1498
1892
secret = notifychangeproperty(dbus.ByteArray, "Secret",
1499
1893
invalidate_only=True)
1500
1894
1501
1895
del notifychangeproperty
1502
1896
1503
1897
def __del__(self, *args, **kwargs):
1504
1898
try:
1505
1899
self.remove_from_connection()
1508
1902
if hasattr(DBusObjectWithProperties, "__del__"):
1509
1903
DBusObjectWithProperties.__del__(self, *args, **kwargs)
1510
1904
Client.__del__(self, *args, **kwargs)
1511
1905
1512
1906
def checker_callback(self, source, condition,
1513
1907
connection, command, *args, **kwargs):
1514
1908
ret = Client.checker_callback(self, source, condition,
1530
1924
| self.last_checker_signal),
1531
1925
dbus.String(command))
1532
1926
return ret
1533
1927
1534
1928
def start_checker(self, *args, **kwargs):
1535
1929
old_checker_pid = getattr(self.checker, "pid", None)
1536
1930
r = Client.start_checker(self, *args, **kwargs)
1540
1934
# Emit D-Bus signal
1541
1935
self.CheckerStarted(self.current_checker_command)
1542
1936
return r
1543
1937
1544
1938
def _reset_approved(self):
1545
1939
self.approved = None
1546
1940
return False
1547
1941
1548
1942
def approve(self, value=True):
1549
1943
self.approved = value
1550
gobject.timeout_add(int(self.approval_duration.total_seconds()
1551
* 1000), self._reset_approved)
1944
GLib.timeout_add(int(self.approval_duration.total_seconds()
1945
* 1000), self._reset_approved)
1552
1946
self.send_changedstate()
1553
1554
## D-Bus methods, signals & properties
1555
1556
## Interfaces
1557
1558
## Signals
1559
1947
1948
# D-Bus methods, signals & properties
1949
1950
# Interfaces
1951
1952
# Signals
1953
1560
1954
# CheckerCompleted - signal
1561
1955
@dbus.service.signal(_interface, signature="nxs")
1562
1956
def CheckerCompleted(self, exitcode, waitstatus, command):
1563
1957
"D-Bus signal"
1564
1958
pass
1565
1959
1566
1960
# CheckerStarted - signal
1567
1961
@dbus.service.signal(_interface, signature="s")
1568
1962
def CheckerStarted(self, command):
1569
1963
"D-Bus signal"
1570
1964
pass
1571
1965
1572
1966
# PropertyChanged - signal
1573
1967
@dbus_annotations({"org.freedesktop.DBus.Deprecated": "true"})
1574
1968
@dbus.service.signal(_interface, signature="sv")
1575
1969
def PropertyChanged(self, property, value):
1576
1970
"D-Bus signal"
1577
1971
pass
1578
1972
1579
1973
# GotSecret - signal
1580
1974
@dbus.service.signal(_interface)
1581
1975
def GotSecret(self):
1584
1978
server to mandos-client
1585
1979
"""
1586
1980
pass
1587
1981
1588
1982
# Rejected - signal
1589
1983
@dbus.service.signal(_interface, signature="s")
1590
1984
def Rejected(self, reason):
1591
1985
"D-Bus signal"
1592
1986
pass
1593
1987
1594
1988
# NeedApproval - signal
1595
1989
@dbus.service.signal(_interface, signature="tb")
1596
1990
def NeedApproval(self, timeout, default):
1597
1991
"D-Bus signal"
1598
1992
return self.need_approval()
1599
1600
## Methods
1601
1993
1994
# Methods
1995
1602
1996
# Approve - method
1603
1997
@dbus.service.method(_interface, in_signature="b")
1604
1998
def Approve(self, value):
1605
1999
self.approve(value)
1606
2000
1607
2001
# CheckedOK - method
1608
2002
@dbus.service.method(_interface)
1609
2003
def CheckedOK(self):
1610
2004
self.checked_ok()
1611
2005
1612
2006
# Enable - method
1613
2007
@dbus_annotations({"org.freedesktop.DBus.Deprecated": "true"})
1614
2008
@dbus.service.method(_interface)
1615
2009
def Enable(self):
1616
2010
"D-Bus method"
1617
2011
self.enable()
1618
2012
1619
2013
# StartChecker - method
1620
2014
@dbus_annotations({"org.freedesktop.DBus.Deprecated": "true"})
1621
2015
@dbus.service.method(_interface)
1622
2016
def StartChecker(self):
1623
2017
"D-Bus method"
1624
2018
self.start_checker()
1625
2019
1626
2020
# Disable - method
1627
2021
@dbus_annotations({"org.freedesktop.DBus.Deprecated": "true"})
1628
2022
@dbus.service.method(_interface)
1629
2023
def Disable(self):
1630
2024
"D-Bus method"
1631
2025
self.disable()
1632
2026
1633
2027
# StopChecker - method
1634
2028
@dbus_annotations({"org.freedesktop.DBus.Deprecated": "true"})
1635
2029
@dbus.service.method(_interface)
1636
2030
def StopChecker(self):
1637
2031
self.stop_checker()
1638
1639
## Properties
1640
2032
2033
# Properties
2034
1641
2035
# ApprovalPending - property
1642
2036
@dbus_service_property(_interface, signature="b", access="read")
1643
2037
def ApprovalPending_dbus_property(self):
1644
2038
return dbus.Boolean(bool(self.approvals_pending))
1645
2039
1646
2040
# ApprovedByDefault - property
1647
2041
@dbus_service_property(_interface,
1648
2042
signature="b",
1651
2045
if value is None: # get
1652
2046
return dbus.Boolean(self.approved_by_default)
1653
2047
self.approved_by_default = bool(value)
1654
2048
1655
2049
# ApprovalDelay - property
1656
2050
@dbus_service_property(_interface,
1657
2051
signature="t",
1661
2055
return dbus.UInt64(self.approval_delay.total_seconds()
1662
2056
* 1000)
1663
2057
self.approval_delay = datetime.timedelta(0, 0, 0, value)
1664
2058
1665
2059
# ApprovalDuration - property
1666
2060
@dbus_service_property(_interface,
1667
2061
signature="t",
1671
2065
return dbus.UInt64(self.approval_duration.total_seconds()
1672
2066
* 1000)
1673
2067
self.approval_duration = datetime.timedelta(0, 0, 0, value)
1674
2068
1675
2069
# Name - property
1676
2070
@dbus_annotations(
1677
2071
{"org.freedesktop.DBus.Property.EmitsChangedSignal": "const"})
1678
2072
@dbus_service_property(_interface, signature="s", access="read")
1679
2073
def Name_dbus_property(self):
1680
2074
return dbus.String(self.name)
1681
2075
2076
# KeyID - property
2077
@dbus_annotations(
2078
{"org.freedesktop.DBus.Property.EmitsChangedSignal": "const"})
2079
@dbus_service_property(_interface, signature="s", access="read")
2080
def KeyID_dbus_property(self):
2081
return dbus.String(self.key_id)
2082
1682
2083
# Fingerprint - property
1683
2084
@dbus_annotations(
1684
2085
{"org.freedesktop.DBus.Property.EmitsChangedSignal": "const"})
1685
2086
@dbus_service_property(_interface, signature="s", access="read")
1686
2087
def Fingerprint_dbus_property(self):
1687
2088
return dbus.String(self.fingerprint)
1688
2089
1689
2090
# Host - property
1690
2091
@dbus_service_property(_interface,
1691
2092
signature="s",
1694
2095
if value is None: # get
1695
2096
return dbus.String(self.host)
1696
2097
self.host = str(value)
1697
2098
1698
2099
# Created - property
1699
2100
@dbus_annotations(
1700
2101
{"org.freedesktop.DBus.Property.EmitsChangedSignal": "const"})
1701
2102
@dbus_service_property(_interface, signature="s", access="read")
1702
2103
def Created_dbus_property(self):
1703
2104
return datetime_to_dbus(self.created)
1704
2105
1705
2106
# LastEnabled - property
1706
2107
@dbus_service_property(_interface, signature="s", access="read")
1707
2108
def LastEnabled_dbus_property(self):
1708
2109
return datetime_to_dbus(self.last_enabled)
1709
2110
1710
2111
# Enabled - property
1711
2112
@dbus_service_property(_interface,
1712
2113
signature="b",
1718
2119
self.enable()
1719
2120
else:
1720
2121
self.disable()
1721
2122
1722
2123
# LastCheckedOK - property
1723
2124
@dbus_service_property(_interface,
1724
2125
signature="s",
1728
2129
self.checked_ok()
1729
2130
return
1730
2131
return datetime_to_dbus(self.last_checked_ok)
1731
2132
1732
2133
# LastCheckerStatus - property
1733
2134
@dbus_service_property(_interface, signature="n", access="read")
1734
2135
def LastCheckerStatus_dbus_property(self):
1735
2136
return dbus.Int16(self.last_checker_status)
1736
2137
1737
2138
# Expires - property
1738
2139
@dbus_service_property(_interface, signature="s", access="read")
1739
2140
def Expires_dbus_property(self):
1740
2141
return datetime_to_dbus(self.expires)
1741
2142
1742
2143
# LastApprovalRequest - property
1743
2144
@dbus_service_property(_interface, signature="s", access="read")
1744
2145
def LastApprovalRequest_dbus_property(self):
1745
2146
return datetime_to_dbus(self.last_approval_request)
1746
2147
1747
2148
# Timeout - property
1748
2149
@dbus_service_property(_interface,
1749
2150
signature="t",
1764
2165
if (getattr(self, "disable_initiator_tag", None)
1765
2166
is None):
1766
2167
return
1767
gobject.source_remove(self.disable_initiator_tag)
1768
self.disable_initiator_tag = gobject.timeout_add(
2168
GLib.source_remove(self.disable_initiator_tag)
2169
self.disable_initiator_tag = GLib.timeout_add(
1769
2170
int((self.expires - now).total_seconds() * 1000),
1770
2171
self.disable)
1771
2172
1772
2173
# ExtendedTimeout - property
1773
2174
@dbus_service_property(_interface,
1774
2175
signature="t",
1778
2179
return dbus.UInt64(self.extended_timeout.total_seconds()
1779
2180
* 1000)
1780
2181
self.extended_timeout = datetime.timedelta(0, 0, 0, value)
1781
2182
1782
2183
# Interval - property
1783
2184
@dbus_service_property(_interface,
1784
2185
signature="t",
1791
2192
return
1792
2193
if self.enabled:
1793
2194
# Reschedule checker run
1794
gobject.source_remove(self.checker_initiator_tag)
1795
self.checker_initiator_tag = gobject.timeout_add(
2195
GLib.source_remove(self.checker_initiator_tag)
2196
self.checker_initiator_tag = GLib.timeout_add(
1796
2197
value, self.start_checker)
1797
self.start_checker() # Start one now, too
1798
2198
self.start_checker() # Start one now, too
2199
1799
2200
# Checker - property
1800
2201
@dbus_service_property(_interface,
1801
2202
signature="s",
1804
2205
if value is None: # get
1805
2206
return dbus.String(self.checker_command)
1806
2207
self.checker_command = str(value)
1807
2208
1808
2209
# CheckerRunning - property
1809
2210
@dbus_service_property(_interface,
1810
2211
signature="b",
1816
2217
self.start_checker()
1817
2218
else:
1818
2219
self.stop_checker()
1819
2220
1820
2221
# ObjectPath - property
1821
2222
@dbus_annotations(
1822
2223
{"org.freedesktop.DBus.Property.EmitsChangedSignal": "const",
1823
2224
"org.freedesktop.DBus.Deprecated": "true"})
1824
2225
@dbus_service_property(_interface, signature="o", access="read")
1825
2226
def ObjectPath_dbus_property(self):
1826
return self.dbus_object_path # is already a dbus.ObjectPath
1827
2227
return self.dbus_object_path # is already a dbus.ObjectPath
2228
1828
2229
# Secret = property
1829
2230
@dbus_annotations(
1830
2231
{"org.freedesktop.DBus.Property.EmitsChangedSignal":
1835
2236
byte_arrays=True)
1836
2237
def Secret_dbus_property(self, value):
1837
2238
self.secret = bytes(value)
1838
2239
1839
2240
del _interface
1840
2241
1841
2242
1842
class ProxyClient(object):
1843
def __init__(self, child_pipe, fpr, address):
2243
class ProxyClient:
2244
def __init__(self, child_pipe, key_id, fpr, address):
1844
2245
self._pipe = child_pipe
1845
self._pipe.send(('init', fpr, address))
2246
self._pipe.send(('init', key_id, fpr, address))
1846
2247
if not self._pipe.recv():
1847
raise KeyError(fpr)
1848
2248
raise KeyError(key_id or fpr)
2249
1849
2250
def __getattribute__(self, name):
1850
2251
if name == '_pipe':
1851
2252
return super(ProxyClient, self).__getattribute__(name)
1854
2255
if data[0] == 'data':
1855
2256
return data[1]
1856
2257
if data[0] == 'function':
1857
2258
1858
2259
def func(*args, **kwargs):
1859
2260
self._pipe.send(('funcall', name, args, kwargs))
1860
2261
return self._pipe.recv()[1]
1861
2262
1862
2263
return func
1863
2264
1864
2265
def __setattr__(self, name, value):
1865
2266
if name == '_pipe':
1866
2267
return super(ProxyClient, self).__setattr__(name, value)
1869
2270
1870
2271
class ClientHandler(socketserver.BaseRequestHandler, object):
1871
2272
"""A class to handle client connections.
1872
2273
1873
2274
Instantiated once for each connection to handle it.
1874
2275
Note: This will run in its own forked process."""
1875
2276
1876
2277
def handle(self):
1877
2278
with contextlib.closing(self.server.child_pipe) as child_pipe:
1878
2279
logger.info("TCP connection from: %s",
1879
2280
str(self.client_address))
1880
2281
logger.debug("Pipe FD: %d",
1881
2282
self.server.child_pipe.fileno())
1882
1883
session = gnutls.connection.ClientSession(
1884
self.request, gnutls.connection .X509Credentials())
1885
1886
# Note: gnutls.connection.X509Credentials is really a
1887
# generic GnuTLS certificate credentials object so long as
1888
# no X.509 keys are added to it. Therefore, we can use it
1889
# here despite using OpenPGP certificates.
1890
1891
#priority = ':'.join(("NONE", "+VERS-TLS1.1",
1892
# "+AES-256-CBC", "+SHA1",
1893
# "+COMP-NULL", "+CTYPE-OPENPGP",
1894
# "+DHE-DSS"))
2283
2284
session = gnutls.ClientSession(self.request)
2285
2286
# priority = ':'.join(("NONE", "+VERS-TLS1.1",
2287
# "+AES-256-CBC", "+SHA1",
2288
# "+COMP-NULL", "+CTYPE-OPENPGP",
2289
# "+DHE-DSS"))
1895
2290
# Use a fallback default, since this MUST be set.
1896
2291
priority = self.server.gnutls_priority
1897
2292
if priority is None:
1898
2293
priority = "NORMAL"
1899
gnutls.library.functions.gnutls_priority_set_direct(
1900
session._c_object, priority, None)
1901
2294
gnutls.priority_set_direct(session._c_object,
2295
priority.encode("utf-8"),
2296
None)
2297
1902
2298
# Start communication using the Mandos protocol
1903
2299
# Get protocol number
1904
2300
line = self.request.makefile().readline()
1909
2305
except (ValueError, IndexError, RuntimeError) as error:
1910
2306
logger.error("Unknown protocol version: %s", error)
1911
2307
return
1912
2308
1913
2309
# Start GnuTLS connection
1914
2310
try:
1915
2311
session.handshake()
1916
except gnutls.errors.GNUTLSError as error:
2312
except gnutls.Error as error:
1917
2313
logger.warning("Handshake failed: %s", error)
1918
2314
# Do not run session.bye() here: the session is not
1919
2315
# established. Just abandon the request.
1920
2316
return
1921
2317
logger.debug("Handshake succeeded")
1922
2318
1923
2319
approval_required = False
1924
2320
try:
1925
try:
1926
fpr = self.fingerprint(
1927
self.peer_certificate(session))
1928
except (TypeError,
1929
gnutls.errors.GNUTLSError) as error:
1930
logger.warning("Bad certificate: %s", error)
1931
return
1932
logger.debug("Fingerprint: %s", fpr)
1933
1934
try:
1935
client = ProxyClient(child_pipe, fpr,
2321
if gnutls.has_rawpk:
2322
fpr = b""
2323
try:
2324
key_id = self.key_id(
2325
self.peer_certificate(session))
2326
except (TypeError, gnutls.Error) as error:
2327
logger.warning("Bad certificate: %s", error)
2328
return
2329
logger.debug("Key ID: %s", key_id)
2330
2331
else:
2332
key_id = b""
2333
try:
2334
fpr = self.fingerprint(
2335
self.peer_certificate(session))
2336
except (TypeError, gnutls.Error) as error:
2337
logger.warning("Bad certificate: %s", error)
2338
return
2339
logger.debug("Fingerprint: %s", fpr)
2340
2341
try:
2342
client = ProxyClient(child_pipe, key_id, fpr,
1936
2343
self.client_address)
1937
2344
except KeyError:
1938
2345
return
1939
2346
1940
2347
if client.approval_delay:
1941
2348
delay = client.approval_delay
1942
2349
client.approvals_pending += 1
1943
2350
approval_required = True
1944
2351
1945
2352
while True:
1946
2353
if not client.enabled:
1947
2354
logger.info("Client %s is disabled",
1950
2357
# Emit D-Bus signal
1951
2358
client.Rejected("Disabled")
1952
2359
return
1953
2360
1954
2361
if client.approved or not client.approval_delay:
1955
#We are approved or approval is disabled
2362
# We are approved or approval is disabled
1956
2363
break
1957
2364
elif client.approved is None:
1958
2365
logger.info("Client %s needs approval",
1969
2376
# Emit D-Bus signal
1970
2377
client.Rejected("Denied")
1971
2378
return
1972
1973
#wait until timeout or approved
2379
2380
# wait until timeout or approved
1974
2381
time = datetime.datetime.now()
1975
2382
client.changedstate.acquire()
1976
2383
client.changedstate.wait(delay.total_seconds())
1989
2396
break
1990
2397
else:
1991
2398
delay -= time2 - time
1992
1993
sent_size = 0
1994
while sent_size < len(client.secret):
1995
try:
1996
sent = session.send(client.secret[sent_size:])
1997
except gnutls.errors.GNUTLSError as error:
1998
logger.warning("gnutls send failed",
1999
exc_info=error)
2000
return
2001
logger.debug("Sent: %d, remaining: %d", sent,
2002
len(client.secret) - (sent_size
2003
+ sent))
2004
sent_size += sent
2005
2399
2400
try:
2401
session.send(client.secret)
2402
except gnutls.Error as error:
2403
logger.warning("gnutls send failed",
2404
exc_info=error)
2405
return
2406
2006
2407
logger.info("Sending secret to %s", client.name)
2007
2408
# bump the timeout using extended_timeout
2008
2409
client.bump_timeout(client.extended_timeout)
2009
2410
if self.server.use_dbus:
2010
2411
# Emit D-Bus signal
2011
2412
client.GotSecret()
2012
2413
2013
2414
finally:
2014
2415
if approval_required:
2015
2416
client.approvals_pending -= 1
2016
2417
try:
2017
2418
session.bye()
2018
except gnutls.errors.GNUTLSError as error:
2419
except gnutls.Error as error:
2019
2420
logger.warning("GnuTLS bye failed",
2020
2421
exc_info=error)
2021
2422
2022
2423
@staticmethod
2023
2424
def peer_certificate(session):
2024
"Return the peer's OpenPGP certificate as a bytestring"
2025
# If not an OpenPGP certificate...
2026
if (gnutls.library.functions.gnutls_certificate_type_get(
2027
session._c_object)
2028
!= gnutls.library.constants.GNUTLS_CRT_OPENPGP):
2029
# ...do the normal thing
2030
return session.peer_certificate
2425
"Return the peer's certificate as a bytestring"
2426
try:
2427
cert_type = gnutls.certificate_type_get2(session._c_object,
2428
gnutls.CTYPE_PEERS)
2429
except AttributeError:
2430
cert_type = gnutls.certificate_type_get(session._c_object)
2431
if gnutls.has_rawpk:
2432
valid_cert_types = frozenset((gnutls.CRT_RAWPK,))
2433
else:
2434
valid_cert_types = frozenset((gnutls.CRT_OPENPGP,))
2435
# If not a valid certificate type...
2436
if cert_type not in valid_cert_types:
2437
logger.info("Cert type %r not in %r", cert_type,
2438
valid_cert_types)
2439
# ...return invalid data
2440
return b""
2031
2441
list_size = ctypes.c_uint(1)
2032
cert_list = (gnutls.library.functions
2033
.gnutls_certificate_get_peers
2442
cert_list = (gnutls.certificate_get_peers
2034
2443
(session._c_object, ctypes.byref(list_size)))
2035
2444
if not bool(cert_list) and list_size.value != 0:
2036
raise gnutls.errors.GNUTLSError("error getting peer"
2037
" certificate")
2445
raise gnutls.Error("error getting peer certificate")
2038
2446
if list_size.value == 0:
2039
2447
return None
2040
2448
cert = cert_list[0]
2041
2449
return ctypes.string_at(cert.data, cert.size)
2042
2450
2451
@staticmethod
2452
def key_id(certificate):
2453
"Convert a certificate bytestring to a hexdigit key ID"
2454
# New GnuTLS "datum" with the public key
2455
datum = gnutls.datum_t(
2456
ctypes.cast(ctypes.c_char_p(certificate),
2457
ctypes.POINTER(ctypes.c_ubyte)),
2458
ctypes.c_uint(len(certificate)))
2459
# XXX all these need to be created in the gnutls "module"
2460
# New empty GnuTLS certificate
2461
pubkey = gnutls.pubkey_t()
2462
gnutls.pubkey_init(ctypes.byref(pubkey))
2463
# Import the raw public key into the certificate
2464
gnutls.pubkey_import(pubkey,
2465
ctypes.byref(datum),
2466
gnutls.X509_FMT_DER)
2467
# New buffer for the key ID
2468
buf = ctypes.create_string_buffer(32)
2469
buf_len = ctypes.c_size_t(len(buf))
2470
# Get the key ID from the raw public key into the buffer
2471
gnutls.pubkey_get_key_id(pubkey,
2472
gnutls.KEYID_USE_SHA256,
2473
ctypes.cast(ctypes.byref(buf),
2474
ctypes.POINTER(ctypes.c_ubyte)),
2475
ctypes.byref(buf_len))
2476
# Deinit the certificate
2477
gnutls.pubkey_deinit(pubkey)
2478
2479
# Convert the buffer to a Python bytestring
2480
key_id = ctypes.string_at(buf, buf_len.value)
2481
# Convert the bytestring to hexadecimal notation
2482
hex_key_id = binascii.hexlify(key_id).upper()
2483
return hex_key_id
2484
2043
2485
@staticmethod
2044
2486
def fingerprint(openpgp):
2045
2487
"Convert an OpenPGP bytestring to a hexdigit fingerprint"
2046
2488
# New GnuTLS "datum" with the OpenPGP public key
2047
datum = gnutls.library.types.gnutls_datum_t(
2489
datum = gnutls.datum_t(
2048
2490
ctypes.cast(ctypes.c_char_p(openpgp),
2049
2491
ctypes.POINTER(ctypes.c_ubyte)),
2050
2492
ctypes.c_uint(len(openpgp)))
2051
2493
# New empty GnuTLS certificate
2052
crt = gnutls.library.types.gnutls_openpgp_crt_t()
2053
gnutls.library.functions.gnutls_openpgp_crt_init(
2054
ctypes.byref(crt))
2494
crt = gnutls.openpgp_crt_t()
2495
gnutls.openpgp_crt_init(ctypes.byref(crt))
2055
2496
# Import the OpenPGP public key into the certificate
2056
gnutls.library.functions.gnutls_openpgp_crt_import(
2057
crt, ctypes.byref(datum),
2058
gnutls.library.constants.GNUTLS_OPENPGP_FMT_RAW)
2497
gnutls.openpgp_crt_import(crt, ctypes.byref(datum),
2498
gnutls.OPENPGP_FMT_RAW)
2059
2499
# Verify the self signature in the key
2060
2500
crtverify = ctypes.c_uint()
2061
gnutls.library.functions.gnutls_openpgp_crt_verify_self(
2062
crt, 0, ctypes.byref(crtverify))
2501
gnutls.openpgp_crt_verify_self(crt, 0,
2502
ctypes.byref(crtverify))
2063
2503
if crtverify.value != 0:
2064
gnutls.library.functions.gnutls_openpgp_crt_deinit(crt)
2065
raise gnutls.errors.CertificateSecurityError(
2066
"Verify failed")
2504
gnutls.openpgp_crt_deinit(crt)
2505
raise gnutls.CertificateSecurityError(code
2506
=crtverify.value)
2067
2507
# New buffer for the fingerprint
2068
2508
buf = ctypes.create_string_buffer(20)
2069
2509
buf_len = ctypes.c_size_t()
2070
2510
# Get the fingerprint from the certificate into the buffer
2071
gnutls.library.functions.gnutls_openpgp_crt_get_fingerprint(
2072
crt, ctypes.byref(buf), ctypes.byref(buf_len))
2511
gnutls.openpgp_crt_get_fingerprint(crt, ctypes.byref(buf),
2512
ctypes.byref(buf_len))
2073
2513
# Deinit the certificate
2074
gnutls.library.functions.gnutls_openpgp_crt_deinit(crt)
2514
gnutls.openpgp_crt_deinit(crt)
2075
2515
# Convert the buffer to a Python bytestring
2076
2516
fpr = ctypes.string_at(buf, buf_len.value)
2077
2517
# Convert the bytestring to hexadecimal notation
2079
2519
return hex_fpr
2080
2520
2081
2521
2082
class MultiprocessingMixIn(object):
2522
class MultiprocessingMixIn:
2083
2523
"""Like socketserver.ThreadingMixIn, but with multiprocessing"""
2084
2524
2085
2525
def sub_process_main(self, request, address):
2086
2526
try:
2087
2527
self.finish_request(request, address)
2088
2528
except Exception:
2089
2529
self.handle_error(request, address)
2090
2530
self.close_request(request)
2091
2531
2092
2532
def process_request(self, request, address):
2093
2533
"""Start a new process to process the request."""
2094
proc = multiprocessing.Process(target = self.sub_process_main,
2095
args = (request, address))
2534
proc = multiprocessing.Process(target=self.sub_process_main,
2535
args=(request, address))
2096
2536
proc.start()
2097
2537
return proc
2098
2538
2099
2539
2100
class MultiprocessingMixInWithPipe(MultiprocessingMixIn, object):
2540
class MultiprocessingMixInWithPipe(MultiprocessingMixIn):
2101
2541
""" adds a pipe to the MixIn """
2102
2542
2103
2543
def process_request(self, request, client_address):
2104
2544
"""Overrides and wraps the original process_request().
2105
2545
2106
2546
This function creates a new pipe in self.pipe
2107
2547
"""
2108
2548
parent_pipe, self.child_pipe = multiprocessing.Pipe()
2109
2549
2110
2550
proc = MultiprocessingMixIn.process_request(self, request,
2111
2551
client_address)
2112
2552
self.child_pipe.close()
2113
2553
self.add_pipe(parent_pipe, proc)
2114
2554
2115
2555
def add_pipe(self, parent_pipe, proc):
2116
2556
"""Dummy function; override as necessary"""
2117
2557
raise NotImplementedError()
2118
2558
2119
2559
2120
2560
class IPv6_TCPServer(MultiprocessingMixInWithPipe,
2121
socketserver.TCPServer, object):
2561
socketserver.TCPServer):
2122
2562
"""IPv6-capable TCP server. Accepts 'None' as address and/or port
2123
2563
2124
2564
Attributes:
2125
2565
enabled: Boolean; whether this server is activated yet
2126
2566
interface: None or a network interface name (string)
2127
2567
use_ipv6: Boolean; to use IPv6 or not
2128
2568
"""
2129
2569
2130
2570
def __init__(self, server_address, RequestHandlerClass,
2131
2571
interface=None,
2132
2572
use_ipv6=True,
2142
2582
self.socketfd = socketfd
2143
2583
# Save the original socket.socket() function
2144
2584
self.socket_socket = socket.socket
2585
2145
2586
# To implement --socket, we monkey patch socket.socket.
2146
#
2587
#
2147
2588
# (When socketserver.TCPServer is a new-style class, we
2148
2589
# could make self.socket into a property instead of monkey
2149
2590
# patching socket.socket.)
2150
#
2591
#
2151
2592
# Create a one-time-only replacement for socket.socket()
2152
2593
@functools.wraps(socket.socket)
2153
2594
def socket_wrapper(*args, **kwargs):
2165
2606
# socket_wrapper(), if socketfd was set.
2166
2607
socketserver.TCPServer.__init__(self, server_address,
2167
2608
RequestHandlerClass)
2168
2609
2169
2610
def server_bind(self):
2170
2611
"""This overrides the normal server_bind() function
2171
2612
to bind to an interface if one was specified, and also NOT to
2172
2613
bind to an address or port if they were not specified."""
2614
global SO_BINDTODEVICE
2173
2615
if self.interface is not None:
2174
2616
if SO_BINDTODEVICE is None:
2175
logger.error("SO_BINDTODEVICE does not exist;"
2176
" cannot bind to interface %s",
2177
self.interface)
2178
else:
2179
try:
2180
self.socket.setsockopt(
2181
socket.SOL_SOCKET, SO_BINDTODEVICE,
2182
(self.interface + "\0").encode("utf-8"))
2183
except socket.error as error:
2184
if error.errno == errno.EPERM:
2185
logger.error("No permission to bind to"
2186
" interface %s", self.interface)
2187
elif error.errno == errno.ENOPROTOOPT:
2188
logger.error("SO_BINDTODEVICE not available;"
2189
" cannot bind to interface %s",
2190
self.interface)
2191
elif error.errno == errno.ENODEV:
2192
logger.error("Interface %s does not exist,"
2193
" cannot bind", self.interface)
2194
else:
2195
raise
2617
# Fall back to a hard-coded value which seems to be
2618
# common enough.
2619
logger.warning("SO_BINDTODEVICE not found, trying 25")
2620
SO_BINDTODEVICE = 25
2621
try:
2622
self.socket.setsockopt(
2623
socket.SOL_SOCKET, SO_BINDTODEVICE,
2624
(self.interface + "\0").encode("utf-8"))
2625
except socket.error as error:
2626
if error.errno == errno.EPERM:
2627
logger.error("No permission to bind to"
2628
" interface %s", self.interface)
2629
elif error.errno == errno.ENOPROTOOPT:
2630
logger.error("SO_BINDTODEVICE not available;"
2631
" cannot bind to interface %s",
2632
self.interface)
2633
elif error.errno == errno.ENODEV:
2634
logger.error("Interface %s does not exist,"
2635
" cannot bind", self.interface)
2636
else:
2637
raise
2196
2638
# Only bind(2) the socket if we really need to.
2197
2639
if self.server_address[0] or self.server_address[1]:
2640
if self.server_address[1]:
2641
self.allow_reuse_address = True
2198
2642
if not self.server_address[0]:
2199
2643
if self.address_family == socket.AF_INET6:
2200
any_address = "::" # in6addr_any
2644
any_address = "::" # in6addr_any
2201
2645
else:
2202
any_address = "0.0.0.0" # INADDR_ANY
2646
any_address = "0.0.0.0" # INADDR_ANY
2203
2647
self.server_address = (any_address,
2204
2648
self.server_address[1])
2205
2649
elif not self.server_address[1]:
2215
2659
2216
2660
class MandosServer(IPv6_TCPServer):
2217
2661
"""Mandos server.
2218
2662
2219
2663
Attributes:
2220
2664
clients: set of Client objects
2221
2665
gnutls_priority GnuTLS priority string
2222
2666
use_dbus: Boolean; to emit D-Bus signals or not
2223
2224
Assumes a gobject.MainLoop event loop.
2667
2668
Assumes a GLib.MainLoop event loop.
2225
2669
"""
2226
2670
2227
2671
def __init__(self, server_address, RequestHandlerClass,
2228
2672
interface=None,
2229
2673
use_ipv6=True,
2239
2683
self.gnutls_priority = gnutls_priority
2240
2684
IPv6_TCPServer.__init__(self, server_address,
2241
2685
RequestHandlerClass,
2242
interface = interface,
2243
use_ipv6 = use_ipv6,
2244
socketfd = socketfd)
2245
2686
interface=interface,
2687
use_ipv6=use_ipv6,
2688
socketfd=socketfd)
2689
2246
2690
def server_activate(self):
2247
2691
if self.enabled:
2248
2692
return socketserver.TCPServer.server_activate(self)
2249
2693
2250
2694
def enable(self):
2251
2695
self.enabled = True
2252
2696
2253
2697
def add_pipe(self, parent_pipe, proc):
2254
2698
# Call "handle_ipc" for both data and EOF events
2255
gobject.io_add_watch(
2256
parent_pipe.fileno(),
2257
gobject.IO_IN | gobject.IO_HUP,
2699
GLib.io_add_watch(
2700
GLib.IOChannel.unix_new(parent_pipe.fileno()),
2701
GLib.PRIORITY_DEFAULT, GLib.IO_IN | GLib.IO_HUP,
2258
2702
functools.partial(self.handle_ipc,
2259
parent_pipe = parent_pipe,
2260
proc = proc))
2261
2703
parent_pipe=parent_pipe,
2704
proc=proc))
2705
2262
2706
def handle_ipc(self, source, condition,
2263
2707
parent_pipe=None,
2264
proc = None,
2708
proc=None,
2265
2709
client_object=None):
2266
2710
# error, or the other end of multiprocessing.Pipe has closed
2267
if condition & (gobject.IO_ERR | gobject.IO_HUP):
2711
if condition & (GLib.IO_ERR | GLib.IO_HUP):
2268
2712
# Wait for other process to exit
2269
2713
proc.join()
2270
2714
return False
2271
2715
2272
2716
# Read a request from the child
2273
2717
request = parent_pipe.recv()
2274
2718
command = request[0]
2275
2719
2276
2720
if command == 'init':
2277
fpr = request[1]
2278
address = request[2]
2279
2280
for c in self.clients.itervalues():
2281
if c.fingerprint == fpr:
2721
key_id = request[1].decode("ascii")
2722
fpr = request[2].decode("ascii")
2723
address = request[3]
2724
2725
for c in self.clients.values():
2726
if key_id == "E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855":
2727
continue
2728
if key_id and c.key_id == key_id:
2729
client = c
2730
break
2731
if fpr and c.fingerprint == fpr:
2282
2732
client = c
2283
2733
break
2284
2734
else:
2285
logger.info("Client not found for fingerprint: %s, ad"
2286
"dress: %s", fpr, address)
2735
logger.info("Client not found for key ID: %s, address"
2736
": %s", key_id or fpr, address)
2287
2737
if self.use_dbus:
2288
2738
# Emit D-Bus signal
2289
mandos_dbus_service.ClientNotFound(fpr,
2739
mandos_dbus_service.ClientNotFound(key_id or fpr,
2290
2740
address[0])
2291
2741
parent_pipe.send(False)
2292
2742
return False
2293
2294
gobject.io_add_watch(
2295
parent_pipe.fileno(),
2296
gobject.IO_IN | gobject.IO_HUP,
2743
2744
GLib.io_add_watch(
2745
GLib.IOChannel.unix_new(parent_pipe.fileno()),
2746
GLib.PRIORITY_DEFAULT, GLib.IO_IN | GLib.IO_HUP,
2297
2747
functools.partial(self.handle_ipc,
2298
parent_pipe = parent_pipe,
2299
proc = proc,
2300
client_object = client))
2748
parent_pipe=parent_pipe,
2749
proc=proc,
2750
client_object=client))
2301
2751
parent_pipe.send(True)
2302
2752
# remove the old hook in favor of the new above hook on
2303
2753
# same fileno
2306
2756
funcname = request[1]
2307
2757
args = request[2]
2308
2758
kwargs = request[3]
2309
2759
2310
2760
parent_pipe.send(('data', getattr(client_object,
2311
2761
funcname)(*args,
2312
2762
**kwargs)))
2313
2763
2314
2764
if command == 'getattr':
2315
2765
attrname = request[1]
2316
2766
if isinstance(client_object.__getattribute__(attrname),
2317
collections.Callable):
2767
collections.abc.Callable):
2318
2768
parent_pipe.send(('function', ))
2319
2769
else:
2320
2770
parent_pipe.send((
2321
2771
'data', client_object.__getattribute__(attrname)))
2322
2772
2323
2773
if command == 'setattr':
2324
2774
attrname = request[1]
2325
2775
value = request[2]
2326
2776
setattr(client_object, attrname, value)
2327
2777
2328
2778
return True
2329
2779
2330
2780
2331
2781
def rfc3339_duration_to_delta(duration):
2332
2782
"""Parse an RFC 3339 "duration" and return a datetime.timedelta
2333
2334
>>> rfc3339_duration_to_delta("P7D")
2335
datetime.timedelta(7)
2336
>>> rfc3339_duration_to_delta("PT60S")
2337
datetime.timedelta(0, 60)
2338
>>> rfc3339_duration_to_delta("PT60M")
2339
datetime.timedelta(0, 3600)
2340
>>> rfc3339_duration_to_delta("PT24H")
2341
datetime.timedelta(1)
2342
>>> rfc3339_duration_to_delta("P1W")
2343
datetime.timedelta(7)
2344
>>> rfc3339_duration_to_delta("PT5M30S")
2345
datetime.timedelta(0, 330)
2346
>>> rfc3339_duration_to_delta("P1DT3M20S")
2347
datetime.timedelta(1, 200)
2783
2784
>>> rfc3339_duration_to_delta("P7D") == datetime.timedelta(7)
2785
True
2786
>>> rfc3339_duration_to_delta("PT60S") == datetime.timedelta(0, 60)
2787
True
2788
>>> rfc3339_duration_to_delta("PT60M") == datetime.timedelta(0, 3600)
2789
True
2790
>>> rfc3339_duration_to_delta("PT24H") == datetime.timedelta(1)
2791
True
2792
>>> rfc3339_duration_to_delta("P1W") == datetime.timedelta(7)
2793
True
2794
>>> rfc3339_duration_to_delta("PT5M30S") == datetime.timedelta(0, 330)
2795
True
2796
>>> rfc3339_duration_to_delta("P1DT3M20S") == datetime.timedelta(1, 200)
2797
True
2348
2798
"""
2349
2799
2350
2800
# Parsing an RFC 3339 duration with regular expressions is not
2351
2801
# possible - there would have to be multiple places for the same
2352
2802
# values, like seconds. The current code, while more esoteric, is
2353
2803
# cleaner without depending on a parsing library. If Python had a
2354
2804
# built-in library for parsing we would use it, but we'd like to
2355
2805
# avoid excessive use of external libraries.
2356
2806
2357
2807
# New type for defining tokens, syntax, and semantics all-in-one
2358
2808
Token = collections.namedtuple("Token", (
2359
2809
"regexp", # To match token; if "value" is not None, must have
2392
2842
frozenset((token_year, token_month,
2393
2843
token_day, token_time,
2394
2844
token_week)))
2395
# Define starting values
2396
value = datetime.timedelta() # Value so far
2845
# Define starting values:
2846
# Value so far
2847
value = datetime.timedelta()
2397
2848
found_token = None
2398
followers = frozenset((token_duration, )) # Following valid tokens
2399
s = duration # String left to parse
2849
# Following valid tokens
2850
followers = frozenset((token_duration, ))
2851
# String left to parse
2852
s = duration
2400
2853
# Loop until end token is found
2401
2854
while found_token is not token_end:
2402
2855
# Search for any currently valid tokens
2426
2879
2427
2880
def string_to_delta(interval):
2428
2881
"""Parse a string and return a datetime.timedelta
2429
2430
>>> string_to_delta('7d')
2431
datetime.timedelta(7)
2432
>>> string_to_delta('60s')
2433
datetime.timedelta(0, 60)
2434
>>> string_to_delta('60m')
2435
datetime.timedelta(0, 3600)
2436
>>> string_to_delta('24h')
2437
datetime.timedelta(1)
2438
>>> string_to_delta('1w')
2439
datetime.timedelta(7)
2440
>>> string_to_delta('5m 30s')
2441
datetime.timedelta(0, 330)
2882
2883
>>> string_to_delta('7d') == datetime.timedelta(7)
2884
True
2885
>>> string_to_delta('60s') == datetime.timedelta(0, 60)
2886
True
2887
>>> string_to_delta('60m') == datetime.timedelta(0, 3600)
2888
True
2889
>>> string_to_delta('24h') == datetime.timedelta(1)
2890
True
2891
>>> string_to_delta('1w') == datetime.timedelta(7)
2892
True
2893
>>> string_to_delta('5m 30s') == datetime.timedelta(0, 330)
2894
True
2442
2895
"""
2443
2896
2444
2897
try:
2445
2898
return rfc3339_duration_to_delta(interval)
2446
2899
except ValueError:
2447
2900
pass
2448
2901
2449
2902
timevalue = datetime.timedelta(0)
2450
2903
for s in interval.split():
2451
2904
try:
2469
2922
return timevalue
2470
2923
2471
2924
2472
def daemon(nochdir = False, noclose = False):
2925
def daemon(nochdir=False, noclose=False):
2473
2926
"""See daemon(3). Standard BSD Unix function.
2474
2927
2475
2928
This should really exist as os.daemon, but it doesn't (yet)."""
2476
2929
if os.fork():
2477
2930
sys.exit()
2495
2948
2496
2949
2497
2950
def main():
2498
2951
2499
2952
##################################################################
2500
2953
# Parsing of options, both command line and config file
2501
2954
2502
2955
parser = argparse.ArgumentParser()
2503
2956
parser.add_argument("-v", "--version", action="version",
2504
version = "%(prog)s {}".format(version),
2957
version="%(prog)s {}".format(version),
2505
2958
help="show version number and exit")
2506
2959
parser.add_argument("-i", "--interface", metavar="IF",
2507
2960
help="Bind to interface IF")
2543
2996
parser.add_argument("--no-zeroconf", action="store_false",
2544
2997
dest="zeroconf", help="Do not use Zeroconf",
2545
2998
default=None)
2546
2999
2547
3000
options = parser.parse_args()
2548
2549
if options.check:
2550
import doctest
2551
fail_count, test_count = doctest.testmod()
2552
sys.exit(os.EX_OK if fail_count == 0 else 1)
2553
3001
2554
3002
# Default values for config file for server-global settings
2555
server_defaults = { "interface": "",
2556
"address": "",
2557
"port": "",
2558
"debug": "False",
2559
"priority":
2560
"SECURE256:!CTYPE-X.509:+CTYPE-OPENPGP:!RSA"
2561
":+SIGN-DSA-SHA256",
2562
"servicename": "Mandos",
2563
"use_dbus": "True",
2564
"use_ipv6": "True",
2565
"debuglevel": "",
2566
"restore": "True",
2567
"socket": "",
2568
"statedir": "/var/lib/mandos",
2569
"foreground": "False",
2570
"zeroconf": "True",
2571
}
2572
3003
if gnutls.has_rawpk:
3004
priority = ("SECURE128:!CTYPE-X.509:+CTYPE-RAWPK:!RSA"
3005
":!VERS-ALL:+VERS-TLS1.3:%PROFILE_ULTRA")
3006
else:
3007
priority = ("SECURE256:!CTYPE-X.509:+CTYPE-OPENPGP:!RSA"
3008
":+SIGN-DSA-SHA256")
3009
server_defaults = {"interface": "",
3010
"address": "",
3011
"port": "",
3012
"debug": "False",
3013
"priority": priority,
3014
"servicename": "Mandos",
3015
"use_dbus": "True",
3016
"use_ipv6": "True",
3017
"debuglevel": "",
3018
"restore": "True",
3019
"socket": "",
3020
"statedir": "/var/lib/mandos",
3021
"foreground": "False",
3022
"zeroconf": "True",
3023
}
3024
del priority
3025
2573
3026
# Parse config file for server-global settings
2574
server_config = configparser.SafeConfigParser(server_defaults)
3027
server_config = configparser.ConfigParser(server_defaults)
2575
3028
del server_defaults
2576
3029
server_config.read(os.path.join(options.configdir, "mandos.conf"))
2577
# Convert the SafeConfigParser object to a dict
3030
# Convert the ConfigParser object to a dict
2578
3031
server_settings = server_config.defaults()
2579
3032
# Use the appropriate methods on the non-string config options
2580
for option in ("debug", "use_dbus", "use_ipv6", "foreground"):
3033
for option in ("debug", "use_dbus", "use_ipv6", "restore",
3034
"foreground", "zeroconf"):
2581
3035
server_settings[option] = server_config.getboolean("DEFAULT",
2582
3036
option)
2583
3037
if server_settings["port"]:
2593
3047
server_settings["socket"] = os.dup(server_settings
2594
3048
["socket"])
2595
3049
del server_config
2596
3050
2597
3051
# Override the settings from the config file with command line
2598
3052
# options, if set.
2599
3053
for option in ("interface", "address", "port", "debug",
2617
3071
if server_settings["debug"]:
2618
3072
server_settings["foreground"] = True
2619
3073
# Now we have our good server settings in "server_settings"
2620
3074
2621
3075
##################################################################
2622
3076
2623
3077
if (not server_settings["zeroconf"]
2624
3078
and not (server_settings["port"]
2625
3079
or server_settings["socket"] != "")):
2626
3080
parser.error("Needs port or socket to work without Zeroconf")
2627
3081
2628
3082
# For convenience
2629
3083
debug = server_settings["debug"]
2630
3084
debuglevel = server_settings["debuglevel"]
2634
3088
stored_state_file)
2635
3089
foreground = server_settings["foreground"]
2636
3090
zeroconf = server_settings["zeroconf"]
2637
3091
2638
3092
if debug:
2639
3093
initlogger(debug, logging.DEBUG)
2640
3094
else:
2643
3097
else:
2644
3098
level = getattr(logging, debuglevel.upper())
2645
3099
initlogger(debug, level)
2646
3100
2647
3101
if server_settings["servicename"] != "Mandos":
2648
3102
syslogger.setFormatter(
2649
3103
logging.Formatter('Mandos ({}) [%(process)d]:'
2650
3104
' %(levelname)s: %(message)s'.format(
2651
3105
server_settings["servicename"])))
2652
3106
2653
3107
# Parse config file with clients
2654
client_config = configparser.SafeConfigParser(Client
2655
.client_defaults)
3108
client_config = configparser.ConfigParser(Client.client_defaults)
2656
3109
client_config.read(os.path.join(server_settings["configdir"],
2657
3110
"clients.conf"))
2658
3111
2659
3112
global mandos_dbus_service
2660
3113
mandos_dbus_service = None
2661
3114
2662
3115
socketfd = None
2663
3116
if server_settings["socket"] != "":
2664
3117
socketfd = server_settings["socket"]
2680
3133
except IOError as e:
2681
3134
logger.error("Could not open file %r", pidfilename,
2682
3135
exc_info=e)
2683
2684
for name in ("_mandos", "mandos", "nobody"):
3136
3137
for name, group in (("_mandos", "_mandos"),
3138
("mandos", "mandos"),
3139
("nobody", "nogroup")):
2685
3140
try:
2686
3141
uid = pwd.getpwnam(name).pw_uid
2687
gid = pwd.getpwnam(name).pw_gid
3142
gid = pwd.getpwnam(group).pw_gid
2688
3143
break
2689
3144
except KeyError:
2690
3145
continue
2694
3149
try:
2695
3150
os.setgid(gid)
2696
3151
os.setuid(uid)
3152
if debug:
3153
logger.debug("Did setuid/setgid to {}:{}".format(uid,
3154
gid))
2697
3155
except OSError as error:
3156
logger.warning("Failed to setuid/setgid to {}:{}: {}"
3157
.format(uid, gid, os.strerror(error.errno)))
2698
3158
if error.errno != errno.EPERM:
2699
3159
raise
2700
3160
2701
3161
if debug:
2702
3162
# Enable all possible GnuTLS debugging
2703
3163
2704
3164
# "Use a log level over 10 to enable all debugging options."
2705
3165
# - GnuTLS manual
2706
gnutls.library.functions.gnutls_global_set_log_level(11)
2707
2708
@gnutls.library.types.gnutls_log_func
3166
gnutls.global_set_log_level(11)
3167
3168
@gnutls.log_func
2709
3169
def debug_gnutls(level, string):
2710
3170
logger.debug("GnuTLS: %s", string[:-1])
2711
2712
gnutls.library.functions.gnutls_global_set_log_function(
2713
debug_gnutls)
2714
3171
3172
gnutls.global_set_log_function(debug_gnutls)
3173
2715
3174
# Redirect stdin so all checkers get /dev/null
2716
3175
null = os.open(os.devnull, os.O_NOCTTY | os.O_RDWR)
2717
3176
os.dup2(null, sys.stdin.fileno())
2718
3177
if null > 2:
2719
3178
os.close(null)
2720
3179
2721
3180
# Need to fork before connecting to D-Bus
2722
3181
if not foreground:
2723
3182
# Close all input and output, do double fork, etc.
2724
3183
daemon()
2725
2726
# multiprocessing will use threads, so before we use gobject we
2727
# need to inform gobject that threads will be used.
2728
gobject.threads_init()
2729
3184
3185
if gi.version_info < (3, 10, 2):
3186
# multiprocessing will use threads, so before we use GLib we
3187
# need to inform GLib that threads will be used.
3188
GLib.threads_init()
3189
2730
3190
global main_loop
2731
3191
# From the Avahi example code
2732
3192
DBusGMainLoop(set_as_default=True)
2733
main_loop = gobject.MainLoop()
3193
main_loop = GLib.MainLoop()
2734
3194
bus = dbus.SystemBus()
2735
3195
# End of Avahi example code
2736
3196
if use_dbus:
2749
3209
if zeroconf:
2750
3210
protocol = avahi.PROTO_INET6 if use_ipv6 else avahi.PROTO_INET
2751
3211
service = AvahiServiceToSyslog(
2752
name = server_settings["servicename"],
2753
servicetype = "_mandos._tcp",
2754
protocol = protocol,
2755
bus = bus)
3212
name=server_settings["servicename"],
3213
servicetype="_mandos._tcp",
3214
protocol=protocol,
3215
bus=bus)
2756
3216
if server_settings["interface"]:
2757
3217
service.interface = if_nametoindex(
2758
3218
server_settings["interface"].encode("utf-8"))
2759
3219
2760
3220
global multiprocessing_manager
2761
3221
multiprocessing_manager = multiprocessing.Manager()
2762
3222
2763
3223
client_class = Client
2764
3224
if use_dbus:
2765
client_class = functools.partial(ClientDBus, bus = bus)
2766
3225
client_class = functools.partial(ClientDBus, bus=bus)
3226
2767
3227
client_settings = Client.config_parser(client_config)
2768
3228
old_client_settings = {}
2769
3229
clients_data = {}
2770
3230
2771
3231
# This is used to redirect stdout and stderr for checker processes
2772
3232
global wnull
2773
wnull = open(os.devnull, "w") # A writable /dev/null
3233
wnull = open(os.devnull, "w") # A writable /dev/null
2774
3234
# Only used if server is running in foreground but not in debug
2775
3235
# mode
2776
3236
if debug or not foreground:
2777
3237
wnull.close()
2778
3238
2779
3239
# Get client data and settings from last running state.
2780
3240
if server_settings["restore"]:
2781
3241
try:
2782
3242
with open(stored_state_path, "rb") as stored_state:
2783
clients_data, old_client_settings = pickle.load(
2784
stored_state)
3243
if sys.version_info.major == 2:
3244
clients_data, old_client_settings = pickle.load(
3245
stored_state)
3246
else:
3247
bytes_clients_data, bytes_old_client_settings = (
3248
pickle.load(stored_state, encoding="bytes"))
3249
# Fix bytes to strings
3250
# clients_data
3251
# .keys()
3252
clients_data = {(key.decode("utf-8")
3253
if isinstance(key, bytes)
3254
else key): value
3255
for key, value in
3256
bytes_clients_data.items()}
3257
del bytes_clients_data
3258
for key in clients_data:
3259
value = {(k.decode("utf-8")
3260
if isinstance(k, bytes) else k): v
3261
for k, v in
3262
clients_data[key].items()}
3263
clients_data[key] = value
3264
# .client_structure
3265
value["client_structure"] = [
3266
(s.decode("utf-8")
3267
if isinstance(s, bytes)
3268
else s) for s in
3269
value["client_structure"]]
3270
# .name, .host, and .checker_command
3271
for k in ("name", "host", "checker_command"):
3272
if isinstance(value[k], bytes):
3273
value[k] = value[k].decode("utf-8")
3274
if "key_id" not in value:
3275
value["key_id"] = ""
3276
elif "fingerprint" not in value:
3277
value["fingerprint"] = ""
3278
# old_client_settings
3279
# .keys()
3280
old_client_settings = {
3281
(key.decode("utf-8")
3282
if isinstance(key, bytes)
3283
else key): value
3284
for key, value in
3285
bytes_old_client_settings.items()}
3286
del bytes_old_client_settings
3287
# .host and .checker_command
3288
for value in old_client_settings.values():
3289
for attribute in ("host", "checker_command"):
3290
if isinstance(value[attribute], bytes):
3291
value[attribute] = (value[attribute]
3292
.decode("utf-8"))
2785
3293
os.remove(stored_state_path)
2786
3294
except IOError as e:
2787
3295
if e.errno == errno.ENOENT:
2795
3303
logger.warning("Could not load persistent state: "
2796
3304
"EOFError:",
2797
3305
exc_info=e)
2798
3306
2799
3307
with PGPEngine() as pgp:
2800
3308
for client_name, client in clients_data.items():
2801
3309
# Skip removed clients
2802
3310
if client_name not in client_settings:
2803
3311
continue
2804
3312
2805
3313
# Decide which value to use after restoring saved state.
2806
3314
# We have three different values: Old config file,
2807
3315
# new config file, and saved state.
2818
3326
client[name] = value
2819
3327
except KeyError:
2820
3328
pass
2821
3329
2822
3330
# Clients who has passed its expire date can still be
2823
3331
# enabled if its last checker was successful. A Client
2824
3332
# whose checker succeeded before we stored its state is
2857
3365
client_name))
2858
3366
client["secret"] = (client_settings[client_name]
2859
3367
["secret"])
2860
3368
2861
3369
# Add/remove clients based on new changes made to config
2862
3370
for client_name in (set(old_client_settings)
2863
3371
- set(client_settings)):
2865
3373
for client_name in (set(client_settings)
2866
3374
- set(old_client_settings)):
2867
3375
clients_data[client_name] = client_settings[client_name]
2868
3376
2869
3377
# Create all client objects
2870
3378
for client_name, client in clients_data.items():
2871
3379
tcp_server.clients[client_name] = client_class(
2872
name = client_name,
2873
settings = client,
2874
server_settings = server_settings)
2875
3380
name=client_name,
3381
settings=client,
3382
server_settings=server_settings)
3383
2876
3384
if not tcp_server.clients:
2877
3385
logger.warning("No clients defined")
2878
3386
2879
3387
if not foreground:
2880
3388
if pidfile is not None:
2881
3389
pid = os.getpid()
2887
3395
pidfilename, pid)
2888
3396
del pidfile
2889
3397
del pidfilename
2890
2891
signal.signal(signal.SIGHUP, lambda signum, frame: sys.exit())
2892
signal.signal(signal.SIGTERM, lambda signum, frame: sys.exit())
2893
3398
3399
for termsig in (signal.SIGHUP, signal.SIGTERM):
3400
GLib.unix_signal_add(GLib.PRIORITY_HIGH, termsig,
3401
lambda: main_loop.quit() and False)
3402
2894
3403
if use_dbus:
2895
3404
2896
3405
@alternate_dbus_interfaces(
2897
{ "se.recompile.Mandos": "se.bsnet.fukt.Mandos" })
3406
{"se.recompile.Mandos": "se.bsnet.fukt.Mandos"})
2898
3407
class MandosDBusService(DBusObjectWithObjectManager):
2899
3408
"""A D-Bus proxy object"""
2900
3409
2901
3410
def __init__(self):
2902
3411
dbus.service.Object.__init__(self, bus, "/")
2903
3412
2904
3413
_interface = "se.recompile.Mandos"
2905
3414
2906
3415
@dbus.service.signal(_interface, signature="o")
2907
3416
def ClientAdded(self, objpath):
2908
3417
"D-Bus signal"
2909
3418
pass
2910
3419
2911
3420
@dbus.service.signal(_interface, signature="ss")
2912
def ClientNotFound(self, fingerprint, address):
3421
def ClientNotFound(self, key_id, address):
2913
3422
"D-Bus signal"
2914
3423
pass
2915
3424
2916
3425
@dbus_annotations({"org.freedesktop.DBus.Deprecated":
2917
3426
"true"})
2918
3427
@dbus.service.signal(_interface, signature="os")
2919
3428
def ClientRemoved(self, objpath, name):
2920
3429
"D-Bus signal"
2921
3430
pass
2922
3431
2923
3432
@dbus_annotations({"org.freedesktop.DBus.Deprecated":
2924
3433
"true"})
2925
3434
@dbus.service.method(_interface, out_signature="ao")
2926
3435
def GetAllClients(self):
2927
3436
"D-Bus method"
2928
3437
return dbus.Array(c.dbus_object_path for c in
2929
tcp_server.clients.itervalues())
2930
3438
tcp_server.clients.values())
3439
2931
3440
@dbus_annotations({"org.freedesktop.DBus.Deprecated":
2932
3441
"true"})
2933
3442
@dbus.service.method(_interface,
2935
3444
def GetAllClientsWithProperties(self):
2936
3445
"D-Bus method"
2937
3446
return dbus.Dictionary(
2938
{ c.dbus_object_path: c.GetAll(
3447
{c.dbus_object_path: c.GetAll(
2939
3448
"se.recompile.Mandos.Client")
2940
for c in tcp_server.clients.itervalues() },
3449
for c in tcp_server.clients.values()},
2941
3450
signature="oa{sv}")
2942
3451
2943
3452
@dbus.service.method(_interface, in_signature="o")
2944
3453
def RemoveClient(self, object_path):
2945
3454
"D-Bus method"
2946
for c in tcp_server.clients.itervalues():
3455
for c in tcp_server.clients.values():
2947
3456
if c.dbus_object_path == object_path:
2948
3457
del tcp_server.clients[c.name]
2949
3458
c.remove_from_connection()
2953
3462
self.client_removed_signal(c)
2954
3463
return
2955
3464
raise KeyError(object_path)
2956
3465
2957
3466
del _interface
2958
3467
2959
3468
@dbus.service.method(dbus.OBJECT_MANAGER_IFACE,
2960
out_signature = "a{oa{sa{sv}}}")
3469
out_signature="a{oa{sa{sv}}}")
2961
3470
def GetManagedObjects(self):
2962
3471
"""D-Bus method"""
2963
3472
return dbus.Dictionary(
2964
{ client.dbus_object_path:
2965
dbus.Dictionary(
2966
{ interface: client.GetAll(interface)
2967
for interface in
2968
client._get_all_interface_names()})
2969
for client in tcp_server.clients.values()})
2970
3473
{client.dbus_object_path:
3474
dbus.Dictionary(
3475
{interface: client.GetAll(interface)
3476
for interface in
3477
client._get_all_interface_names()})
3478
for client in tcp_server.clients.values()})
3479
2971
3480
def client_added_signal(self, client):
2972
3481
"""Send the new standard signal and the old signal"""
2973
3482
if use_dbus:
2975
3484
self.InterfacesAdded(
2976
3485
client.dbus_object_path,
2977
3486
dbus.Dictionary(
2978
{ interface: client.GetAll(interface)
2979
for interface in
2980
client._get_all_interface_names()}))
3487
{interface: client.GetAll(interface)
3488
for interface in
3489
client._get_all_interface_names()}))
2981
3490
# Old signal
2982
3491
self.ClientAdded(client.dbus_object_path)
2983
3492
2984
3493
def client_removed_signal(self, client):
2985
3494
"""Send the new standard signal and the old signal"""
2986
3495
if use_dbus:
2991
3500
# Old signal
2992
3501
self.ClientRemoved(client.dbus_object_path,
2993
3502
client.name)
2994
3503
2995
3504
mandos_dbus_service = MandosDBusService()
2996
3505
3506
# Save modules to variables to exempt the modules from being
3507
# unloaded before the function registered with atexit() is run.
3508
mp = multiprocessing
3509
wn = wnull
3510
2997
3511
def cleanup():
2998
3512
"Cleanup function; run on exit"
2999
3513
if zeroconf:
3000
3514
service.cleanup()
3001
3002
multiprocessing.active_children()
3003
wnull.close()
3515
3516
mp.active_children()
3517
wn.close()
3004
3518
if not (tcp_server.clients or client_settings):
3005
3519
return
3006
3520
3007
3521
# Store client before exiting. Secrets are encrypted with key
3008
3522
# based on what config file has. If config file is
3009
3523
# removed/edited, old secret will thus be unrecovable.
3010
3524
clients = {}
3011
3525
with PGPEngine() as pgp:
3012
for client in tcp_server.clients.itervalues():
3526
for client in tcp_server.clients.values():
3013
3527
key = client_settings[client.name]["secret"]
3014
3528
client.encrypted_secret = pgp.encrypt(client.secret,
3015
3529
key)
3016
3530
client_dict = {}
3017
3531
3018
3532
# A list of attributes that can not be pickled
3019
3533
# + secret.
3020
exclude = { "bus", "changedstate", "secret",
3021
"checker", "server_settings" }
3534
exclude = {"bus", "changedstate", "secret",
3535
"checker", "server_settings"}
3022
3536
for name, typ in inspect.getmembers(dbus.service
3023
3537
.Object):
3024
3538
exclude.add(name)
3025
3539
3026
3540
client_dict["encrypted_secret"] = (client
3027
3541
.encrypted_secret)
3028
3542
for attr in client.client_structure:
3029
3543
if attr not in exclude:
3030
3544
client_dict[attr] = getattr(client, attr)
3031
3545
3032
3546
clients[client.name] = client_dict
3033
3547
del client_settings[client.name]["secret"]
3034
3548
3035
3549
try:
3036
3550
with tempfile.NamedTemporaryFile(
3037
3551
mode='wb',
3039
3553
prefix='clients-',
3040
3554
dir=os.path.dirname(stored_state_path),
3041
3555
delete=False) as stored_state:
3042
pickle.dump((clients, client_settings), stored_state)
3556
pickle.dump((clients, client_settings), stored_state,
3557
protocol=2)
3043
3558
tempname = stored_state.name
3044
3559
os.rename(tempname, stored_state_path)
3045
3560
except (IOError, OSError) as e:
3055
3570
logger.warning("Could not save persistent state:",
3056
3571
exc_info=e)
3057
3572
raise
3058
3573
3059
3574
# Delete all clients, and settings from config
3060
3575
while tcp_server.clients:
3061
3576
name, client = tcp_server.clients.popitem()
3064
3579
# Don't signal the disabling
3065
3580
client.disable(quiet=True)
3066
3581
# Emit D-Bus signal for removal
3067
mandos_dbus_service.client_removed_signal(client)
3582
if use_dbus:
3583
mandos_dbus_service.client_removed_signal(client)
3068
3584
client_settings.clear()
3069
3585
3070
3586
atexit.register(cleanup)
3071
3072
for client in tcp_server.clients.itervalues():
3587
3588
for client in tcp_server.clients.values():
3073
3589
if use_dbus:
3074
3590
# Emit D-Bus signal for adding
3075
3591
mandos_dbus_service.client_added_signal(client)
3076
3592
# Need to initiate checking of clients
3077
3593
if client.enabled:
3078
3594
client.init_checker()
3079
3595
3080
3596
tcp_server.enable()
3081
3597
tcp_server.server_activate()
3082
3598
3083
3599
# Find out what port we got
3084
3600
if zeroconf:
3085
3601
service.port = tcp_server.socket.getsockname()[1]
3090
3606
else: # IPv4
3091
3607
logger.info("Now listening on address %r, port %d",
3092
3608
*tcp_server.socket.getsockname())
3093
3094
#service.interface = tcp_server.socket.getsockname()[3]
3095
3609
3610
# service.interface = tcp_server.socket.getsockname()[3]
3611
3096
3612
try:
3097
3613
if zeroconf:
3098
3614
# From the Avahi example code
3103
3619
cleanup()
3104
3620
sys.exit(1)
3105
3621
# End of Avahi example code
3106
3107
gobject.io_add_watch(tcp_server.fileno(), gobject.IO_IN,
3108
lambda *args, **kwargs:
3109
(tcp_server.handle_request
3110
(*args[2:], **kwargs) or True))
3111
3622
3623
GLib.io_add_watch(
3624
GLib.IOChannel.unix_new(tcp_server.fileno()),
3625
GLib.PRIORITY_DEFAULT, GLib.IO_IN,
3626
lambda *args, **kwargs: (tcp_server.handle_request
3627
(*args[2:], **kwargs) or True))
3628
3112
3629
logger.debug("Starting main loop")
3113
3630
main_loop.run()
3114
3631
except AvahiError as error:
3123
3640
# Must run before the D-Bus bus name gets deregistered
3124
3641
cleanup()
3125
3642
3643
3644
def should_only_run_tests():
3645
parser = argparse.ArgumentParser(add_help=False)
3646
parser.add_argument("--check", action='store_true')
3647
args, unknown_args = parser.parse_known_args()
3648
run_tests = args.check
3649
if run_tests:
3650
# Remove --check argument from sys.argv
3651
sys.argv[1:] = unknown_args
3652
return run_tests
3653
3654
# Add all tests from doctest strings
3655
def load_tests(loader, tests, none):
3656
import doctest
3657
tests.addTests(doctest.DocTestSuite())
3658
return tests
3126
3659
3127
3660
if __name__ == '__main__':
3128
main()
3661
try:
3662
if should_only_run_tests():
3663
# Call using ./mandos --check [--verbose]
3664
unittest.main()
3665
else:
3666
main()
3667
finally:
3668
logging.shutdown()
Loggerhead is a web-based interface for Breezy
Version: 2.0.2.dev0